headers
Tito Garrido | 3 Aug 2012 17:31
Picon

Webservice for web widgets: security

Hi Folks,

I have created a jsonp function that will be used on a script so some other people could use widgets with just 2 lines like:

<script src="http://example.com/widget/script.js" type="text/javascript"></script> <div id="example-widget-container"></div>
This script will call the jsonp function using:
$.getJSON(widget_url, function(data) { $('#example-widget-container').html(data.html); });
How could I prevent people from execute my webservice funtion from another "js" file or a modified version?

I have checked request.env variable but I didn't find anything that I could say:

This call is from a javascript located in example.com, otherwise ignore.

Thanks in advance!

Tito

--

Linux User #387870
.........____
.... _/_õ|__|
..º[ .-.___.-._| . . . .
.__( o)__( o).:_______

--
 
 
 
Permalink | Reply |
headers
Bruno Rocha | 3 Aug 2012 20:25
Picon
Gravatar

Re: Webservice for web widgets: security


I think you can generate a KEY in script.js (you need to generate this file dynamically)

So you will have a key to check back when the widget gets rendered.

On Fri, Aug 3, 2012 at 12:31 PM, Tito Garrido <titogarrido-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
Hi Folks,

I have created a jsonp function that will be used on a script so some other people could use widgets with just 2 lines like:
<script src="http://example.com/widget/script.js" type="text/javascript"></script> <div id="example-widget-container"></div>
This script will call the jsonp function using:
$.getJSON(widget_url, function(data) { $('#example-widget-container').html(data.html); });
How could I prevent people from execute my webservice funtion from another "js" file or a modified version?

I have checked request.env variable but I didn't find anything that I could say:

This call is from a javascript located in example.com, otherwise ignore.

Thanks in advance!

Tito

--

Linux User #387870
.........____
.... _/_õ|__|
..º[ .-.___.-._| . . . .
.__( o)__( o).:_______

--
 
 
 

--
 
 
 
Permalink | Reply |
headers
Anthony | 3 Aug 2012 20:45
Picon

Re: Webservice for web widgets: security

You might consider using CORS: http://www.html5rocks.com/en/tutorials/cors/


Anthony

On Friday, August 3, 2012 11:31:04 AM UTC-4, Tito Garrido wrote:
Hi Folks,

I have created a jsonp function that will be used on a script so some other people could use widgets with just 2 lines like:
<script src="http://example.com/widget/script.js" type="text/javascript"></script> <div id="example-widget-container"></div>
This script will call the jsonp function using:
$.getJSON(widget_url, function(data) { $('#example-widget-container').html(data.html); });
How could I prevent people from execute my webservice funtion from another "js" file or a modified version?

I have checked request.env variable but I didn't find anything that I could say:

This call is from a javascript located in example.com, otherwise ignore.

Thanks in advance!

Tito

--

Linux User #387870
.........____
.... _/_õ|__|
..º[ .-.___.-._| . . . .
.__( o)__( o).:_______

--
 
 
 
Permalink | Reply |

Gmane