Increasingly we are facing the problem that we need to have a wallboard that shows the status of many PBX servers. What sounded simple in the beginning ended up in an excursion into the world of CORS (Cross-Origin Resource Sharing).

The problem is that browsers have a policy for fetching content from other web sites. The goal was to fetch the graph data and the images from the PBX in the Internet and display them in the wallboard web site.

Browsers fetch a lot of content that does not come from the original web site, e.g. jQuery code or CSS style sheets. Those fetches should be anonymous; however those who have ever places a pixel on a web site know that this is not always the case. However we did not want to include authentication information in the URL itself and instead use a session-based token instead.

A short excursion into JSONP showed how desperate the web world must have gotten already. Because JavaScript is actually executed after loading, just retrieving data e.g. in JSON format is a problem, so they invented the hack to call some global dummy function to make that happen. While this might work for JSON, this will be a problem for the image. There must be something better!

The answer is CORS. There are a few headers that explicitly tell the browser what kind of fetches are allowed and which are not. Instead of using an implicit policy the web servers just do it explicitly. Unfortunately the PBX web server also needs to set a few headers accordingly. This means this feature will be available after the next release.

Ok we have added a little hack that will set the session cookie in response to a REST API command. This is because there is no way to get this done though JavaScript. But apart from that this should be very clean.

But this feature will go beyond the status screen. Actually all REST API commands will fall into this category. This means that together with the third party login, it will now be able to have the web server fetch a token e.g. through PHP, send it to the web browser (without sending any actual credentials), which then can use it with the PBX directly for sending and receiving REST API commands. This could be used for displaying calls lists for that user, show the status of other users and to make and receive calls through WebRTC. Imagine a doctor logged in to some doctor application portal that initiates the third party login and then can handle all sorts of communication all through the same page in the web browser.

This will be a big topic in the future. This will make it easy to integrate WebRTC in every application where it makes sense to use voice in addition to other communication mechanisms. 59.1+ will be ready, thanks to CORS.