In the months since, guests have had a lot of fun with it and it’s been awesome seeing occasional surprise memories from friends pop up. That said, building that integration wasn’t the most straightforward task. I documented the journey (and failures) I took to arrive at the ultimate solution, with the intention of illustrating that reverse engineering is largely about persistence, and full of surprises. Most notably, I did not expect to encounter a dynamically generated virtual machine that generates and injects the headers required to validate authentication requests. I did find reference to Google’s Widevine Content Decryption Module but I’m not certain that technology is in play, or if the code tries to check for its presence at some point.
Update: Since posting, folks have noted this exact same technology is in use at Nordstrom (
https://www.nordstrom.com/mwp/integration/ns_common.js?async) and Target (