Geek Answers Handbook

Private javascript widget

I am considering starting a new project. The background of the project generates a widget on my site, and then copies part of javascript to your site and viola, you have your own widget.

This is a new twist on existing services such as polldady.com, twiig.com and addthis.com.

Many of these services are intended for public access. The value of the widget provider does not care that you send data back to them. In fact, they encourage the widget to spread as far and further as possible.

However, my services have a unique twist. In my case, although the widget will be open to the general public, I must be sure that outgoing mail requests come only from the expected site.

Due to xss issues with these javascript widgets, I need to dynamically create an iframe where my widget will be displayed.

Is there an authentication model for interacting with this type of interaction?

+6
javascript security widget
source share
1 answer

First of all, this use of iframe is a violation of the same origin policy . Using plain old JavaScript, you can create a <form> and call .submit() to disable this email request anywhere. This actually works using POST based CSTF. You can check the referer this POST request, however, if it comes from an https page, this value will be empty. (that then you can refuse service ...). Sending document.location as a POST variable is impractical since it is trivial to change this widget to report a changed value. However, the referent contained in the incoming HTTP request is disconnected from the website operator .

+3
source share

More articles:


All Articles