I am working on implementing a JavaScript web bug that will be inserted into our client’s web pages. One of the features our clients would like, is a way to pass pieces of the HTML on their web pages to our server through the web bug. We are using JSONP and the server that is hosting the JavaScript web bug is different than the server hosting the we page. The basic idea is this:

var element = document.getElementById(id);
var html = element.innerHTML;
//Encodes HTML into GET request www.example.com/script?html=encodedhtml
var url = getSrcUrl(html); 
document.write(unescape("%3Cscript src='" + url + "' type='text/javascript'%3E%3C/script%3E"));

The security problem is that anyone could make a get request to our server with arbitrary HTML that isn’t from the web page that is hosting the web bug. Is there anyway to make this secure?

I know we could check HTTP headers for the referrer, but this can easily be forged. I saw some ideas where the server passed a unique token that had to be returned in the GET request, but it seems like this could be forged too.

My hunch is that what we’re trying to do can’t be done securely, but I wanted to throw this out to the community to see if there’s something clever that can be done. Otherwise, I’m going to have to build a screen scraper that downloads the pages directly from our clients and extracts the relevant HTML for their page.

Thanks for any and all help!

EDIT

To be clear, our client’s web pages are public-facing without security. In other words, any Internet user could visit the page and execute the JavaScript bug that submits the HTML fragment.

EDIT 2

An acceptable answer is “this is impossible”! If that is the case, and you give a good explanation of why, I will choose it as the accepted answer.

EDIT 3

What we are building is a kind of Google Analytics system for our clients. We are trying to track visits to unique “items” by each visitor and then automatically collecting information about that item via the HTML fragment. We will then insert information about the item on other pages by injecting the HTML fragment that we collected from the original item. We are trying to do all this without requiring our clients to install anything on their severs and by just including out JavaScript web bug in their HTML.