You are here:
Step 1: Enable Resource Sharing Across Domains
Embedded Login entails making web requests outside the website boundaries, but for security reasons, web requests are restricted to the current domain. To enable a website to share resources beyond its boundaries, the Salesforce admin adds trusted website domains to Salesforce’s Cross-Origin Resource Sharing (CORS) allowlist. CORS is an industry standard that enables web browsers to make requests from origins other than their own.
Embedded Login relies on third-party cookies, which are blocked or restricted in most browsers. And Embedded Login works only on Google Chrome and only as long as third-party cookies are allowed there by default.
Embedded Login populates the Access-Control-Allow-Origin response header with the origin (domain plus protocol) specified in the CORS allowlist. If CORS isn’t set up, the Access-Control-Allow-Origin header value is set to null, which effectively block all requests.
For Embedded Login to enable resource sharing across boundaries, the origin listed in the CORS allowlist—the Access-Control-Allow-Origin—must match the origin listed in the request. But an exact match isn’t required. Here are some examples.
| CORS | Request | Match? | Why? |
|---|---|---|---|
| https://salesforce.com | https://salesforce.com:6109 |
|
Accept requests from all ports in this domain. |
| https://salesforce.com:6109 | https://salesforce.com | Accept requests only from port 6109. | |
| https://*.salesforce.com | https://trailhead.salesforce.com |
|
Accept requests from all subdomains in this domain. |
| https://trailhead.salesforce.com | https://salesforce.com | The CORS allowlist must list this domain. | |
| https://salesforce.com | https://salesforce.com/mySite |
|
Accept requests from Experience Cloud sites in this domain. |
| https://salesforce.com/mySite | https://salesforce.com | Accept requests only from this site. | |
| https://salesforce.com/mySite | https://salesforce.com/mySite/login |
|
Accept requests from the login page of this site in this domain. |
| none | https://salesforce.com/mySite | The CORS allowlist must be set up to accept requests from other domains. |
- From Setup, in the Quick Find box, enter CORS, then select CORS.
- Click New.
-
Enter the domain where Embedded Login is deployed.
For example, https://embeddedlogin.herokuapp.com allows access to all pages hosted on embeddedlogin.herokuapp.com.To handle multiple domains, you can use a regular expression to add them all to the allowlist at once. Or you can list each domain individually.
Note By default, browsers cache the Embedded Login JavaScript, including your CORS settings, for 24 hours. You can change how often the cache refreshes with thesalesforce-cache-max-agemeta tag. If you change the value, test the change by clearing the cache between each change or using an incognito window.
