Private javascript widget

Question

Hey all,

I'm considering embarking on a new project. The premise of the project is generate a widget on my site, then copy a piece of javascript into your site and viola you have your widget.

It's a new spin on existing services such as polldady.com, twiig.com and addthis.com.

Many of these such services are designed to be publicly accessible. Meaning the widget supplier doesn't care you is posting data back to them. In fact they encourage spreading the widget as far and wide as possible.

However my services has a unique twist. In my case, although the widget will be open the general public, I need to be sure that originating post requests are coming from the expected site only.

Due to xss issues with these javascript widgets, I need to dynamically create an iframe where my widget will be rendered.

Is there an authentication model to handle this type of interaction?

Answer 1

First of all this use of an iframe is a violation of the Same Origin Policy. With plain old JavaScript you can create a <form> and call .submit() to fire off this post request anywhere. In fact this is how POST based CSRF exploits work. You can check the referer of this POST request, however if it is coming from an https page this value will be blank. (which then you could refuse service...). Sending the document.location as a POST variable is inadvisable as it is trivial to modify this widget to report a modified value. However the referer contained in the incoming http request is off limits to the website's operator.