Background: I have written a bookmarklet (JavaScript) that appends an iframe to the current page you are viewing. This iframe’s src attribute is pointing to a form back on my (rails) application. I need to pass a key into the form (from the bookmarklet) by either modifying one of the values of the input fields or by passing the value as a parameter at the end of the url calling the form action.
I don’t really see a way how to do the former, and the latter seems like a security catastrophe waiting to happen. I was wondering what the best practice would be here?
Appending a query string parameter to the URL seems reasonable, but you’re correct – there are security implications. The value will appear in the user’s browsing history and it’ll be visible over unencrypted HTTP (but not HTTPS).
There’s another Javascript-based way to do this that’s not yet widely supported, but is worth considering –
window.postMessage. It allows pages at designated domains to send and receive messages using a familiar event-based model. See https://developer.mozilla.org/en/DOM/window.postMessage.