Consider that an online shop subscribes an embedded external service for their customers. This external webpage is accessible through a clickable banner on the online shop.
On the subscription area of this external service, the registration form asks about the base url domains where the banner will be published:
companya.com
companyb.org
companyc.net
The purpose is to create a query string dynamically for the banner url redirect:
service.com?id=VO6Ny3WqBBIdZPufARCV10RPyY6nwQf37V8RClhJIlU
The html code snippet to place the banner would be automatically generated on the client or server side and the form information never stored
When a user clicks the banner, the server (Flask) gets the origin request domain (i.e “companyb.org”) and verifies with the query string if it is an authorized domain.
So:
- All the provided urls should create a single fixed size cipher.
- Appending more addresses should not impact on the size of the cipher.
- Each of the addresses individually should be validated by the shared code (that changes every time that any element of the domain list is added, removed or edited).
- The “encryption” (hash?) of the domains list should be preferably made on client side.
- The validation is naturally made server side (python-flask)
It’s all about thinking about managing a CORS policy without any storage since the validation is made on-the-fly solely with the information of the http request envelope.
Moreover, this cipher can also be encrypted by other means.
Any suggestions?