Cross‐site access from a visitor browser is usually denied by the same origin policy implemented by the browser. Two resources are considered to be of the same origin if they share the same domain name, port number and protocol. However the HTML <script> element is able to perform content retrieval from foreign origins.
For request to the Call Setup API from a visitor browser, the origin of the Call Setup API will usually differ from that of the customer site that the visitor is visiting. Therefore we need to provide a workaround to the same origin policy.
JSONP (JSON with Padding) and CORS (Cross‐Origin Resource Sharing) provide two ways in which we can provide a workaround to the same origin policy. CORS is a more modern alternative to JSONP and is supported by more modern browsers. This will be supported by the Call API.
The Call API is expected to support any browser version with a market share of 2% or greater. This includes a number of browser versions that do not support CORS. This currently includes:
Level of support for CORS | Browser Version |
---|---|
None | IE7 and earlier Firefox 3.0 and earlier Safari 3.x and earlier Opera 11 and earlier |
Partial | IE8 and IE9 |
For browsers that do not support CORS, JSONP is supported as a fallback. JSONP does not support the POST or DELETE methods, so GET alternatives for the Start Call and End Call API methods have to be provided.
Once all supported browser versions support CORS, support for JSONP will be deprecated.