I am doing some integration with the salesforce.com api but I have hit a roadblock.

Using some javascript I want to 1. Post a username/password to get authentication token EG: https://login.salesforce.com/services/oauth2/token?&client_id=XXX-XXX&client_secret=YYYYYY&grant_type=password&password=BLAHBLAHP&username=BLAH@BLAH.com 2. Use this token to make subsequest requests to the salesforce API.

When I make the above request it works fine as long as I disable the security of the browser or have an addon that add a 'Access-Control-Allow-Origin' value to the responsed header. In this case I get back a valid response from Salesforce.

The problem is that I get CORS error when I try this from my domain: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://{{myip}}' is therefore not allowed access.

Now I understand why this restriction is enforced by the browser however the Salesforce API has an option to add whitelisted domains. I would have thought that this would have allowed me to make this work but it does not. Even though I have added my domain to the white list, the authentication request always comes back with the abve error in the console of the browser (chrome).

My question is: I am deluded to think that the whitelisting should work in my scenario? Am I missing some configuration of the salesforce app? Do I have to follow a different authentication method in order for this to work?

Any guidance would be appreciated.