How can we secure a third-party widget?

Securing a tenant's client access

Securing a tenant's 3rd party client access to your Javascript poses a unique set of challenges. Most of the difficulty in this solution stems from the fact that the authentication mechanism must be present in the tenants web content and delivered from their clients browser. Standard client<>server authentication mechanisms such as sessions, cookies, custom headers, referrers and IP address restriction do not apply well due to the extended nature of the transaction.

This article by Bill Patrianakos provides a solution by using a dynamic key request that provides an access token to the tenant's client.

Patrianakos provides some good information on Third Party tenant relationships and discusses some the limitations of this model in his article.

Securing the Javascript code

Protecting your code in Javascript is difficult due to the requirement that the code is interpreted at runtime by the client browser. However, it is possible to obfuscate your Javascript by using the Google Closure Compiler. The advanced optimization features of the compiler offer low-level reference renaming and also provides more compact code for delivery of your widget.

To compile your Javascript using advanced optimizations use the following command line:

java -jar compiler.jar --compilation_level ADVANCED_OPTIMIZATIONS \
  --js myWidget.js --js_output_file myWidget.min.js

There are some important caveats. This article covers some of the things to avoid in your code to ensure that the code will function correctly. I would also recommend a good qunit test frame to ensure that your widget will operate properly.