Solving the SCORM Cross Domain Issue

There are some deployment scenarios that SCORM makes difficult. One of them in particular is when you have content on one domain, and an LMS on a different domain. There are several solutions for this with varying merits, and all of them require effort of some sort. Further, cross domain solutions aren’t necessary in most cases. For these reasons, addressing “cross domain” scenarios is specifically excluded in some of our SCORM Engine licenses.

SCORM cross domain

Why the cross-domain limitation, and how can you get around it?

Basically, SCORM requires that content be served from the same domain as the LMS API. Browsers intentionally prevent the javascript in the content from communicating with the SCORM API if they originate from different domains. This is intentional on the part of the browser makers because it’s a security risk.

If you control both domains (content and LMS), then this security risk shouldn’t be a particular concern to you, but that’s not easy to convey to everyone’s browsers. There are several ways to deal with cross-domain situations, all of which have downsides.

  • Alter the settings in every browser that will play content. (This is a bad idea.)
  • Manipulate document.domain in each piece of content. (Also not a good idea, because the content vendors have to be involved. Any solution that requires cooperation on the part of the content and LMS vendors basically defeats the purpose of a standard like SCORM.)
  • Use Tin Can, because it works via web services. (Good idea long term, but it doesn’t solve your current problem of playing SCORM content.)
  • Manipulate this via networking magic.
    • Make each additional machine appear to come from the same domain. You can run multiple SCORM Engine installations in a single domain, essentially behind a load balancer.
    • You could even go so far as to have something like and if you wanted different content stores for each of them, with each communicating back to These would be virtual directories that are housed on different machines (with content in each) but appear to come from the same domain. This requires some skill in proxies. (Note: This wouldn’t work if you asked for, communicating with That would require central/remote, listed below.)
    • You can also do a lot of funny business down in apache with redirect forwards, virtual hosts, etc and make those domains look however you want to the outside browser.
  • Use what we call a central/remote architecture.
    • This is a great solution to the problem, and something we’ve built out well in SCORM Engine. It does, however, carry an extra cost because it requires reintegration and is explicitly excluded in our SCORM Engine contracts.
    • Basically, this allows you to have a single core Engine installation. You then replicate the remote component at each content store, wherever that might be. You would be responsible for replicating the content files to those locations. We would collectively write logic that determines which of the remote locations should play the content for each user.

So, there are options. They generally require extra work and extra costs. If you’d like to discuss these options, just get in touch with us. Ask us anything, really.

  • Catherine

    Thank you so much for this clear and informative response! I have been searching for documentation around this error for awhile, and no other blogs addressed the problem and potential solutions as well.

  • TheSlider2

    I have small website in php coupled to a database with quite a lot of information i’d like to share in a secure way with a local association which uses an lms for their members. I’d like to keep control over my data and only give them some “link” to my website which is a colab between me and other friends.
    I know how to package a scorm 1.2 zip file with a manifest xml file and all the required stuff in html format or as direct link to content on my server but, for them, i want something more secure than a zip.
    Basicaly, how can i setup my website to return to their lms information such as the time elapsed on something or the result of a randomly generated quiz ?
    I believe i can ask them to include their user ID in some url to recognize the “student” but after that, i’m quite lost and there is little technical information about SCORM and AICC on the net. : s
    ps : i’m only 16 years old and not a professional “yet”.

  • Ryan Donnelly

    Thanks for the post. We have a great function in SCORM Cloud called Dispatch that can help in this scenario. Dispatch allows you to host content on our SCORM Cloud servers, deliver a proxy file of your course that will call the SCORM Cloud player when launched in another LMS, and report back the “Big 4” (total time, completion status, pass/fail status, and score) to both SCORM Cloud and the target LMS. You can read more about it here:

    You can also check out these links for more information on SCORM:

  • Denise

    Our company consists of 50 different locations across the US. We are in the process of integrating an LMS. Scorm packages have been uploaded and play/track with no problem.
    What do you suggest with 3rd party eLearning vendors who only use AICC? Our company is an aviation company. Many of the locations use proprietary software and cannot update Java as often as it updates because it causes issues as well as the security issues it is known for. One of our eLearning vendors has over 14000 materials/courses in their catalog. Uploading and managing such an extensive library is not feasible.
    My developer said that AICC utilizes a Java applet so I’m not sure how we can work around it. Any suggestions?