This would make it possible for the launching LMS/LRS to restrict access to the fetch endpoint to the client that requested the launch.

Per July 17 meeting add issues tracker

cmi5Controller.js line 93. Does not differentiate between a 404 with a string response and a 200 with a JSON response.

I believe that Passed, Completed and Terminated statements must include duration.

Lacking a "return" on line 285 after auth token is fetched from session storage. The current behavior is read from session, call the successCallback then continue on, make the fetch request, then call either the tokenErrorCallBack incorrectly (since it was read from session anyway) or call successCallback again. Double callback on successCallback leads to fetching the activityState twice.

I received an error in chrome when trying to use cmi5 content that was not in the same domain as the LMS. The error message in chrome indicates that an Access-Control-Allow-Origin cannot be set to "*" when withCredentials is set to true. Since I do not wish to continually add domains to the Access-Control-Allow-Origin header, I removed that line from the cmi5Controller and I no longer had the error. I don't see this as particularly dangerous as I am only setting the Origin header when a request is made to my cmi5 controllers. I am considering removing it from this libraries source as well unless someone can give me a better idea.

Thanks.

When the user reloads / refreshes the page an additional initialized statement is sent. I believe that only one statement should be sent per session.

I believe that the cmi5 spec requires that only one Completed and or Passed statement is sent by the AU.

The AU could use the agent xAPI state resource to store if it has previously sent Completed or Passed statements. I don't believe the AU should attempt to check the existence of the Statements in the LRS because some LMS might prohibit an AU from requesting statements.

When attempting to read cached Auth token from session_storage, "data" is undefined on line 282