Guarantee The Origin (parent Url) Of A Cross Domain Window.opener Call By Preliminary Cors Call To The Server

My 1st question here. Here is the task. I have a button which I want to put on 3rd party websites. When user clicks that button - a new window opens by means of javascript window.

Solution 1:

I found the solution myself.

Because window.open calls another domain - window.opener and document.referrer won't work.

The only way here is to use message sending mechanism between windows (web messaging) described here: http://en.wikipedia.org/wiki/Web_Messaging

It looks like all major browsers now support this.

It allows to send message to another windows with different domain and set the expected domain, so in receiving windows you can also set expected domain from where messages can be received - this way you know for sure that this particular domain sent a message and can guarantee the URL of the opener.

Solution 2:

If you want to know from where(which site) your user has come from , use

document.referrer;

you can save it in a variable and redirect it.

As far as cookies are concerned, if by 3rd party you mean different domains, you can't access cookies cross domains.