The sso service endpoint should send the proper CORS headers and respond to OPTIONS (for CORS prefetches) so that XmlHttpRequests on authenticated sites can (partially) work.