When you try to integrate with the LinkedIn Apply Now button, you first register for the API key. In the form, you are prompted to enter the Javascript API, which is the Fully-qualified domain name of all pages that will call the JavaScript API with this key. In turn, it creates an API key and some HTML code for you, which you can copy n paste into your web page and start.
This is the code created by the wizard:
<script src="http://platform.linkedin.com/in.js" type="text/javascript"> api_key: 7a4ghb12agvda4552da </script> <script type="IN/Apply" data-companyname="Asd" data-jobtitle="Software Developer" data-joblocation="Istanbul" data-email=" abc@xyz.com "> </script>
Now, how to track where this script is built in? First I introduced http://example.com as my Javascript Domain API. It turned out that I can only use this widget in the example.com domain.
What's inside in.js that LinkedIn tells where it is embedded?
The reason I ask is because I am also creating a widget, and I want only my registered widgets to be able to use my widget.
Edit: As a bonus, what if I download in.js , delete the part where it will check the domain check and enable my own version of in.js on my page? How do they prevent this?
A LinkedIn employee mentions that both client-side and server-side checks are performed. But what will be the test? I am looking for a deep understanding of the problem. How can I create such a widget? On the client side, how do you check the current page that hosts your .js file? And how do you get in which domain the js file is located? Any help appreciated. Thanks.
source share