My 1st question here.
Here is the task. I have a button which I want to put on 3rd party websites. When user clicks that button - a new window opens by means of javascript window.open method. In that window user is redirected to my web application and have to log in. Now, how can I know for sure where the user came from (e.g. which website he clicked the button on). Basically I want two things - make sure I can track which website the button was clicked on when the popup opens AND also make sure that only subscribers can use that button (well the first condition will make it possible cause I will be able to filter out unauthorized requests based on URL).
Obviously window.opener doesn't work because it's cross domain and browser won't allow it.
One idea I had was to use CORS request from my script when page loads which would call my server and the server will generate some secret and set the cookie with it and then return another javascript code which would contain window.open call together with that secret as a parameter and another parameter which will be assigned value from document.location (this will basically set the current URL as a parameter). This theoretically should ensure that script which called the popup was legitimately received from my server - hence URL it provides is correct. Otherwise if someone would create their own script to call my popup - they can of course set any URL they want as parameter BUT they wouldn't know the correct cookie secret.
Please let me know if my approach is right and it cannot be hacked or is it rubbish? Also is there a better way to do this?
I've been researching and thinking about it for a couple of days now - it hurts my brain.
Thanks to everyone in advance - any help is appreciated.
