> my first question would not be about the origin but about the embedding itself. The user's input is rendered in the web frontend of blackboard? Why?
I think Blackboard sees this as a convenience feature, i.e. students submit assignments as, say, PDF documents and they can be viewed directly within Blackboard without the extra steps of downloading. Just silly that it works with anything that can interact with web API, but maybe that was requested specifically?
> Is the client js generally allowed to perform http requests outside of the origin domain?
EDIT: By default, yes, but I'm not sure what restrictions can be applied. (I'm misremembering how CORS even works so I took out my previous paragraph.)
In any case, Blackboard probably provided other tools they could use within the domain as well. For example they could probably trigger some sort of user-to-user private messaging and send the token in the body.
I think Blackboard sees this as a convenience feature, i.e. students submit assignments as, say, PDF documents and they can be viewed directly within Blackboard without the extra steps of downloading. Just silly that it works with anything that can interact with web API, but maybe that was requested specifically?
> Is the client js generally allowed to perform http requests outside of the origin domain?
EDIT: By default, yes, but I'm not sure what restrictions can be applied. (I'm misremembering how CORS even works so I took out my previous paragraph.)
In any case, Blackboard probably provided other tools they could use within the domain as well. For example they could probably trigger some sort of user-to-user private messaging and send the token in the body.