It was saying that despite not needing the gateway, that the gateway was still the recommended approach.
Security exposure (cross-site scripting)
The Pega Gateway is the recommended deployment technique for Pega Mashups. Using the Gateway you can deploy it within the same domain as the containing page without having to stand up a full Pega node. Alternatively, this can be achieved with a simple reverse proxy.
Enabling browser security to take over is possible because with Pega you can meet the same-origin approach and implement X-Frame-Options Allow-From header.
Can someone please explain this to me? As deploying and configuring the gateway ect is going to be significantly more effort, and I want to make sure it is worth it. What is the consequence of not using the gateway?
I will try and find the owner of that document and get it changed or clarified further.
The PRGateway is not needed with 7.2.1 + as we have implemented window.postMessage and is secured with in the application record the Integration/Security tab in a section called Mashup Security. Together with content security, same tab of the application record, cross site scripting exposure is negated.
A reverse proxy is still not a bad idea though as it can help with Mashup security in general when it comes to secured sites. With a reverse proxy the PRPC content is served through that same host as the top level application making it so authentication to the top level is required to get to the PRPC content.