I would like to develop a client side javascript widget that may be included on authorized partner web sites only. The javascript widget will make REST calls back to the main website. Partner web sites should be able to use the javascript widget without installing any server side components. Any attempt by an unauthorized site to use a given key should fail. Obviously, any API keys that are delivered to a web browser would ultimately be vulnerable to exposure even if they were obscured somehow.
One real world example I looked to for ideas is the Google Maps Javascript API v3, which imposes quota limits and optionally allows API clients to restrict access for a given key to specified domains. But it looks like this restriction is based on referers, which seems too easy to forge. It seems like websites using this system are vulnerable to an attacker using their keys (which are visible in plain text in the HTML) and running enough API calls to exceed the quota. Also worth noting, is that Google distinguishes between “Browser keys” and “Server keys”.
Here are some related questions I found, none with encouraging answers:
- How can PHP driven API authenticate genuine client (referer) cross-domain (knowing that headers can be spoofed)?
- Securing an API for use with Javascript widget
- Javascript API - Restrict Domain by providing whitelisting option to user
Is there an existing design pattern, standard or cryptographic scheme that addresses this issue? Or is there no way to accomplish this without some server side component?
