I want to allow users to embed badges on their personal site or blogs with a snippet of javascript. The badge is customized on our site based on information in their profiles that at some point is "approved".
Is there a best practice to check what website the javascript is embedded on and if it does not match the website in their "approved" profile display nothing. If it matches inject the html etc.
Thanks
Two methods come to mind immediately:
Configure your server to log the "Referer" header of all requests for the javascript
and even check it against a list of approved urls, and return an error code (403 Forbidden looks like a winner).
Have the Javascript "call home" - reporting where it is - like so:
var etCallHome = new Image();
etCallHome = "http://yoursite.com/logger?url="+document.location.href;
You could also combine both approaches for luck. :-)