How can we secure a third-party widget?

Question

I am building a 3rd party widget

We drop a script on a clients page and load some content.

The problem I face is how do I secure my widget. As a thrid party widget I know there is no 100% way to secure it. But trying to work out a 'good enough' approach.

I want to make it difficult for a non customer to just rip our script off their competitor site and use it on theirs.

The solutions I see is pull validate requesting domain (which I know could be spoofed, not sure if I can guard against this?)

I had a look at other widgets like olark and olapic that use unique id's per client in their script , but cannot see how helpful that is.

What are the best practices to secure a third party widget?

Answer 1

Securing a tenant's client access

Securing a tenant's 3rd party client access to your Javascript poses a unique set of challenges. Most of the difficulty in this solution stems from the fact that the authentication mechanism must be present in the tenants web content and delivered from their clients browser. Standard client<>server authentication mechanisms such as sessions, cookies, custom headers, referrers and IP address restriction do not apply well due to the extended nature of the transaction.

This article by Bill Patrianakos provides a solution by using a dynamic key request that provides an access token to the tenant's client.

Patrianakos provides some good information on Third Party tenant relationships and discusses some the limitations of this model in his article.

Securing the Javascript code

Protecting your code in Javascript is difficult due to the requirement that the code is interpreted at runtime by the client browser. However, it is possible to obfuscate your Javascript by using the Google Closure Compiler. The advanced optimization features of the compiler offer low-level reference renaming and also provides more compact code for delivery of your widget.

To compile your Javascript using advanced optimizations use the following command line:

java -jar compiler.jar --compilation_level ADVANCED_OPTIMIZATIONS \
  --js myWidget.js --js_output_file myWidget.min.js

There are some important caveats. This article covers some of the things to avoid in your code to ensure that the code will function correctly. I would also recommend a good qunit test frame to ensure that your widget will operate properly.

Answer 2

To secure the widget, if you want to prevent forged requests then you need to open a popup and open a page from your server which is completely under your control, and confirm any actions such as 'publish tweet' there.

See the answer for this question for some more extended discussion.

For preventing your Javascript from being stolen, minification is not sufficient - it's better to use an obfuscator. Have a look for example [JScramble], this is a presentation on how it works.