Guarantee the origin (parent URL) of a cross domain window.opener call by preliminary CORS call to the server

Question

My 1st question here.

Here is the task. I have a button which I want to put on 3rd party websites. When user clicks that button - a new window opens by means of javascript window.open method. In that window user is redirected to my web application and have to log in. Now, how can I know for sure where the user came from (e.g. which website he clicked the button on). Basically I want two things - make sure I can track which website the button was clicked on when the popup opens AND also make sure that only subscribers can use that button (well the first condition will make it possible cause I will be able to filter out unauthorized requests based on URL).

Obviously window.opener doesn't work because it's cross domain and browser won't allow it.

One idea I had was to use CORS request from my script when page loads which would call my server and the server will generate some secret and set the cookie with it and then return another javascript code which would contain window.open call together with that secret as a parameter and another parameter which will be assigned value from document.location (this will basically set the current URL as a parameter). This theoretically should ensure that script which called the popup was legitimately received from my server - hence URL it provides is correct. Otherwise if someone would create their own script to call my popup - they can of course set any URL they want as parameter BUT they wouldn't know the correct cookie secret.

Please let me know if my approach is right and it cannot be hacked or is it rubbish? Also is there a better way to do this?

I've been researching and thinking about it for a couple of days now - it hurts my brain.

Thanks to everyone in advance - any help is appreciated.

Answer 1

I found the solution myself.

Because window.open calls another domain - window.opener and document.referrer won't work.

The only way here is to use message sending mechanism between windows (web messaging) described here: http://en.wikipedia.org/wiki/Web_Messaging

It looks like all major browsers now support this.

It allows to send message to another windows with different domain and set the expected domain, so in receiving windows you can also set expected domain from where messages can be received - this way you know for sure that this particular domain sent a message and can guarantee the URL of the opener.

Answer 2

If you want to know from where(which site) your user has come from , use

document.referrer;

you can save it in a variable and redirect it.

As far as cookies are concerned, if by 3rd party you mean different domains, you can't access cookies cross domains.