CORS is supported by using the allowedOrigins key in the JSON request made on the /gateway/sessions/session interface to obtain a session ID.
Making the request in java script from a web page is inherently insecure as the Web Application ID will be publicly visible, hence why we recommend it is only known to the server side App making the session ID requests on behalf of the clients.
Further more we don't support pre-flight Options requests on the /gateway/sessions/session interface.
Attached is a php file that will provide a session ID for a Live Assist consumer service.
Comments are disabled on these articles if you require help contact firstname.lastname@example.org.