CORS is supported by using the allowedOrigins key in the JSON request made on the /gateway/sessions/session interface to obtain a session ID.
The value of allowedOrigins is a comma separated list that represents the origins from which cross realm JavaScript calls are permitted. If null or empty, there will be no restriction.
For security reasons the JSON request should be made from a server side application that can authenticate the client. For instance a server app could use php to request the session token and pass it into the JavaScript side of the app.
Making the request in java script from a web page is inherently insecure as the Web Application ID will be publicly visible, hence why we recommend it is only known to the server side App making the session ID requests on behalf of the clients.
Further more we don't support pre-flight Options requests on the /gateway/sessions/session interface.
Attached is a php file that will provide a session ID for a Live Assist consumer service.
Comments
0 comments
Please sign in to leave a comment.