I want to embed a SCORM site in my application. Users can upload any SCORM content they have created, which will be stored in an S3 bucket and served through a CDN (CloudFront).
From a security perspective, I need the CDN alias to be a subdomain of the main site. This allows me to sign cookies for CDN authentication while blocking access to the main API cookies that are signed for the main domain. This precaution is necessary to prevent any malicious code that may be uploaded.
For example, let’s consider the following scenario: the main site is located at app.site.com, and it has cookies signed for domain=app.site.com to communicate with the inner API. The SCORM content is served from cdn.app.site.com, and the cookies for this subdomain are signed for domain=.app.site.com (note the dot at the start).
This setup works well, but it poses a challenge when trying to communicate with the SCORM API since the iframe that contains the SCORM is considered cross-origin with the main domain.
How can I communicate with the SCORM API on one hand and block access to the main API cookies on the other hand, without proxying the requests to a server (in order to leverage the CDN)?