Open API call returns can potentially be susceptible to cross-site request forgery (CSRF) attacks. To manage this security risk, the Admin UI includes the API Domain List.

You can add a domain to the list for a tenant integration that points to VMware Learning Platform and that runs within a browser. If your tenant uses a hosted tool on a web server that makes API calls to VMware Learning, then you must add the domain to the list. As well, if your tenant includes a vanity domain for a user interface, then you must add that domain into the list.

Note the following example:VMware Hands-On-Labs uses the following dashboard:

 http://web.hol.vmware.com/navigator/web.hol.vmware.com

This domain makes API calls to VMware Learning Platform and must be added to the domain list.