If you try to pass an access_token (either personal or generated from an authorization exchange) from a browser XMLHttp request for example you will receive an error

 No 'Access-Control-Allow-Origin' header is present on the requested resource 

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated.

We’ve deliberately not enabled CORS because it would enable/encourage access and refresh tokens to be passed to the browser where they could be much more easily compromised.

For example, someone uses the capability to write a WordPress plugin for a blog which entails sending the access and refresh token to the browser. That works, people install it, now anyone can view source on that site and have at least some level of read access to that persons calendars.

In order to resolve this you will need a server component that handles the API interactions with Cronofy and then renders the required information to the browser.

Did this answer your question?