JavaScript and XSS

If you are using JavaScript to access PTV Drive&Arrive you have cross-site scripting issue in mind. There are different solutions possible to avoid this.

Apache

You can use apache web server as proxy and reverse proxy to get all resources from one location (address of apache web server). Please note, that this is only a sample and may be different to what your local configuration may look like. Please ask your system administrator if you are not sure about the Apache configuration.

ProxyPass /em https://driveandarrive-v1.cloud.ptvgroup.com/em/
ProxyPassReverse /em https://driveandarrive-v1.cloud.ptvgroup.com/em/
<Location /em>
  Order allow,deny
  Allow from all
</Location>

Node.js

You can use a library, e.g. "nodejitsu/node-http-proxy" or build your own HTTP server using "http.createServer(onRequest).listen(port)" to pass request from your server to PTV Drive&Arrive.

Callback

PTV Drive&Arrive offers jsonp callback. To embed the response in a jsonp callback, append ?callback=myCallback.

Additional Hints

To hide the token on client side, simple proxy will not be enough. Therefore the proxy requires logic that hides the usage of a token.

Currently there is no mechanism available on PTV Drive&Arrive side to provide CORS (cross-origin resource sharing).