Set Security Protocols for Your Messaging for Web Deployment
To successfully use Messaging for Web, add your experience site or external website
domain to a Cross-Origin Resource Sharing (CORS) allowlist. If you change your domain, remember to
update the CORS allowlist.
The CORS allowlist lets web browsers request resources from other origins, like
allowing access to supported Salesforce APIs, Apex REST resources, and Lightning Out from
JavaScript code in a web browser.
You must add any domain that you use, from testing to
production, to your CORS allowlist. For example, if you start in a sandbox and then deploy to
production, add both the sandbox and the production domains.
Add Your External Website Domain to a CORS Allowlist
After completing setup, add your domain to the CORS allowlist. Add your CORS allowlist
entries of URLs for the pages where you deploy messaging. The page you add is where customers
access the messaging window. The origin URL pattern must include the HTTP or HTTPS protocol and a
domain name. The wildcard character (*) is supported and must be in front of a second-level
domain name. For example, https://*.example.com (https://%2A.example.com/) adds all subdomains of
example.com (http://example.com/) to the allowlist.
From Setup, enter CORS in the Quick Find box, and then select
CORS.
Select New.
Enter an origin URL pattern.
Save your work.
Add Your Experience Builder Site Domain to a CORS Allowlist
After completing setup, add your Experience Builder site domain to your CORS allowlist.
If notice an issue with the *.live-preview domain, add that to the CORS allow list.
To confirm your site domain, from Setup, enter Digital Experiences
in the Quick Find box, and then select Settings. Copy the URL from the
Domain section.
From Setup, enter CORS in the Quick Find box, and then select
CORS.
Select New.
Enter an origin URL pattern.
Save your work.
Did this article solve your issue?
Let us know so we can improve!
Loading
Salesforce Help | Article
Cookie Consent Manager
General Information
Required Cookies
Functional Cookies
Advertising Cookies
General Information
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
