Showing results for 
Search instead for 
Did you mean: 

Community Helping Community

Cross Site Scripting issue with CUMI API

This document was generated from CDN thread

Created by: Amit Gupta on 30-10-2012 01:38:12 AM
We need to have voicemail indicator on jabber sdk web based softphone, for which we are using CUMI api for sending notification. But when trying to use below snippet from your api doc, I'm getting Access-Control-Allow-Origin not allowed issue.
type: "POST",
contentType: "application/xml; charset=utf-8",
url: "/vmrest/mailbox?method=requestnotification",
data: "{}",
dataType: "text",
success: function(subscriptionId) {
gSubscriptionId = subscriptionId;
alert("Requested events for mailbox, subscriptionId=" + subscriptionId);
Here is the doc that I'm referring to: [url=]
Error message : XMLHttpRequest cannot load Origin is not allowed by Access-Control-Allow-Origin.
 Do you think it could be a access issue ? I do have following roles for my userid in Unity server : Mailbox Access Delegate Account /Remote Admin /System Admin /User Admin.
FYI, The same AJAX call works fine when I change type to GET and dataType to jsonp but POST is not working for some reason.
any help would highly be appreciated.

Subject: RE: Cross Site Scripting issue with CUMI API
Replied by: Anil Singh on 30-10-2012 02:01:53 PM
Have you tried to send this request with header as "Access-Control-Allow-Origin" ?
e.g. in PHP
<pre class="code"> <?php
header("Access-Control-Allow-Origin: *");

Let me know, if still there is an issue.

-Anil Singh</pre>

Subject: RE: Cross Site Scripting issue with CUMI API
Replied by: Amit Gupta on 30-10-2012 02:43:25 PM
Anil, Yes I tried that too but didn't work.
 Here is my code for your review.
function requestVoicemailPost() { = true;
                type: 'POST',
                 contentType: 'application/xml; charset=utf-8',
                 url: '',
                 data: '{}',
                 dataType: 'text',
                 username: 'XXXX',
                 xhrFields: {
                      withCredentials: true
                beforeSend: function (req){
                         req.setRequestHeader('Access-Control-Allow-Origin', '*');
                 success: function(subscriptionId) {
                         gSubscriptionId = subscriptionId;
                         alert('Requested events for mailbox, subscriptionId=' + subscriptionId);
                 complete: function(jqXHR, textStatus) {
                            alert('complete: ' + textStatus +  '  responseText: ' + jqXHR.responseText);
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here
This widget could not be displayed.