Streamlined way to validate website ownership (with javascript?)

Question

I have a rails app which requires users to verify that they own a website before submitting links from that site.

I have implemented a website verification system that works thanks to the answers given to a question I made several months ago. This system works but it is rather cumbersome for users. It requires them to create a web page on their site with a specific verification key for a url. I feel like I'm asking the user to jump through a lot of hoops just to submit their pages to my site. Site verification is vital, however, and I can't let go of this feature, however cumbersome.

I'm looking to create some javascript code that will help validate websites. When users install the plugin, all they would then have to do is click "verify" on the web app, and all the work is done for them. They don't have to go through the chore of creating a new web page and deleting it.

I have a faint idea of how to get started...

Step one: the javascript code to be placed on the website (simplified version of google analytics code):

        "<script type='text/javascript' id="THE VERIFICATION CODE GENERATED BY THE RAILS APP">

          (function() {
            var secondScript = document.createElement('script');
secondScript.type = 'text/javascript';
            secondScript.src = 'http://www.mywebapp.com/verify.js';
            var firstScript = document.getElementsByTagName('script')[0]; firstScript.parentNode.insertBefore(secondScript, firstScript);
          })();

        </script>"

In the second script(verify.js):

//find some way to ensure that the first script has an id of "VERIFICATION KEY"
//if so, return some data that the rails app can understand and verify the site

Any ideas?

Answer 1

That's a REALLY interesting problem, but I don't know if there is a good solution in the way you're looking for. In other words, I don't think you can create some sort of automated utility to upload the script in step one.

You can't assume they have FTP access, or SSH access; some web hosts might disallow those things. You can't assume they have some sort of 'package' installed to communicate with, or even the ability to install such a thing.

One thing that might work (but still has its own set of issues) is to do a whois lookup and email the owner of the site on record with a confirmation link... Of course that's assuming the whois is listed and they didn't provide a dummy email.

Google accounts checks for domain ownership by doing the file upload thing, or letting the user create a custom subdomain (CNAME) on the site. Of course, if your users are having issues uploading a single file, the CNAME thing is probably right out.

Answer 2

There are other ways to verify ownership of website. Many companies will send an e-mail to the registrant of the domain. Create a file with a certain name. Put a piece of specific text into the header of the index page. I think the way you're attempting above is more complex than it needs to be. It's pretty easy for any webmaster to create a file with a certain name and with certain content. I've done it many times for different tools.

Don't sweat it :-)