- Identity Service Help
- Overview
- Implementation
- Implementation methods
- Implementation guides
- Implement with Experience Platform tags
- Implement for Analytics
- Implement for Target
- Implement for Analytics and Audience Manager
- Implement for Analytics, Audience Manager, and Target
- Using the ID Service with A4T and a Server-side Implementation of Target
- Direct Integration with the ID Service
- Direct Integration Use Cases
- Test and verify the ID Service
- Opt-in Service
- ID Service API
- ID Service API Overview
- Configuration
- Configurations overview
- audienceManagerServer and audienceManagerServerSecure
- cookieDomain
- cookieLifetime
- disableIdSyncs
- disableThirdPartyCalls
- disableThirdPartyCookies
- idSyncAttachIframeOnWindowLoad
- idSyncContainerID
- idSyncSSLUseAkamai
- loadTimeout
- overwriteCrossDomainMCIDAndAID
- resetBeforeVersion
- sdidParamExpiry
- Secure and SameSite configurations
- secureCookie
- useCORSOnly
- whitelistParentDomain and whitelistIframeDomains
- Methods
- Methods
- appendSupplementalDataIDTo
- appendVisitorIDsTo (Cross-Domain Tracking)
- callTimeOut Methods
- ID Synchronization by URL or Data Source
- getInstance
- getAnalyticsVisitorID
- getCustomerIDs
- setCustomerIDs
- getMarketingCloudVisitorID
- getLocationHint
- getVisitorValues
- isClientSideMarketingCloudVisitorID
- resetState
- Reference
- Reference Overview
- Analytics Reference
- Analytics Reference Overview
- CNAME Implementation Overview
- Setting Analytics and Experience Cloud IDs
- Order of Operations for Analytics IDs
- ID Service Migration Decision Points
- ID Service Migration Scenarios
- Analytics and Identity Requests
- Server-side Implementation Mixed with JavaScript
- The ID Service Grace Period
- Google Chrome SameSite labelling changes
- Content Security Policies and the ID Service
- COPPA Support in the ID Service
- CORS Support in the ID Service
- Customer IDs and Authentication States
- ECID library methods in a Safari ITP world
- Identifying Unique Visitors
- Get Region and User IDs From the AMCV Cookie or the ID Service
- Requirements for the ID Service
- Video Heartbeat and the ID Service
- Data Workbench and the ID Service
- SHA256 Hashing Support for setCustomerIDs
- FAQs
- Release notes for ID Service
CORS Support in the Experience Cloud Identity Service
Browsers use Cross Origin Resource Sharing (CORS) to request resources from a domain other than the current domain. The Experience Cloud Identity Service supports CORS standards that enable these client-side, cross-origin resource requests. The ID service reverts to JSONP requests on older browsers or browsers that do not support CORS.
Problems with Same-Origin Policies and ID Service Requests
Same-origin policies are security controls or restrictions enforced by a web browser. When enforced on this level, the web browser itself determines if a request for resources made from one page to another will be permitted or blocked. To determine if a request is a same-origin request, the browser compares:
- Uniform Resource Identifiers (URIs)
- Host names (e.g., http://www.my-webpage-example.com)
- Port numbers (e.g., port 80 and 440 for HTTP and HTTPS requests)
The browser allows a request to succeed if both pages share these characteristics and blocks resource requests if they do not.
CORS Resolves Problems with Same-Origin Policies
CORS provides a secure, effective way to request resources across different domains. The CORS specification includes a set of HTTP headers that browsers use to send, receive, and evaluate resource requests. Evaluating a resource request is called a preflight check. This check lets browsers and servers determine which requests are allowed or blocked. The preflight check is transparent to the app, API, or script that requests a resource. Two headers that are important in the resource request process include:
Origin: A request header that identifies the source of a request.Access-Control-Allow-Origin: A response header that indicates if a resource can be shared with the requestor.
Let’s take a look at how these headers work. In this example, say we have a financial services company that has implemented the Experience Cloud ID service on their site, www.finance-website.com. The following table defines how the CORS request and response headers check for access to a resource.
| Action | Description |
|---|---|
| Request |
As finance company page loads, the browser makes a request to dpm.demdex.net. This is a call to the domain of the data collection servers (DCS) used by the ID service. This cross-domain request includes the header:
|
| Response |
The response from the DCS domain includes these headers that give the finance company's site access to required resources:
|
See also useCORSOnly.
Other Benefits of Using CORS
The table below describes some of the advantages CORS provides to customers who use the ID service.
| Benefit | Description |
|---|---|
| Increased Security |
CORS uses XMLHttpRequest to request and transfer data. This method is more secure than a JSONP request. It ensures that there is no way to execute arbitrary JavaScript, which might be contained in the response from the DCS. The CORS XMLHttpRequest response payload is parsed by the ID service JavaScript and not simply executed in a callback function.
Note: To accept cookies, the XMLHttpRequest object needs its withCredentials property set to true. This property is supported in Chrome, Firefox, Internet Explorer (v10+), Opera, and Safari. |
| Performance Improvements |
CORS helps improve performance because:
|
