api.php

<?php
// located at:  http://another.tld/auth.php

$api_callback = $_REQUEST["callback"];

if ($_COOKIE["token_1"] == "abcd1234" && $_GET["token_2"] == "efgh5678") {
   $msg = "Yes, your API call was successful!";
}
else {
   $msg = "API call not authorized.";
}

?>

// this is a JSON-P style response from the API
<?=$api_callback?>({"msg": "<?=$msg?>"});

auth.php

<?php
// located at:  http://another.tld/auth.php

$token_1 = "abcd1234";
$token_2 = "efgh5678";

$auth_callback = $_REQUEST["callback"];

setcookie("token_1",$token_1);

?>

// in JS, document.domain is not settable or spoofable so it's 
// reliable to protect a cross-domain JSON-P call

if (document.domain == "something.tld") { 
   <?=$auth_callback?>({"token_2": "<?=$token_2?>"});
}

use_api.js

// this file is loaded and run on http://something.tld/index.html

function make_jsonp_call(url) {
   var script = document.createElement("script");
   script.src = url;
   script.type = "text/javascript";
   document.getElementsByTagName("head")[0].appendChild(script);
}

function api_done(resp) {
   alert(resp.msg);
}

function get_auth(auth) {
   var token_2 = auth.token_2;

   // not only do we have token_2 by way of the auth parameter,
   // but token_1 is stored in a browser cookie now. together,
   // these two tokens will authorize our API call.

   make_jsonp_call("http://another.tld/api.php?token_2="+token_2+"&callback=api_done");
}


make_jsonp_call("http://another.tld/auth.php?key=987654321&callback=get_auth");

I liken this to the classic CS problem of trying to take any given matched string and find the exact regular expression that matched it.

Since it can be proven that there are nearly infinitely many different regex's that could match the given string, you can't prove that you can easily find exactly the regex the string came from. The regex match process is a lossy one-way street. There's the easy base regex /thestring/, but what if I had originally randomly started with some other crazy regex that matched the same string? You have no way of knowing which regex I started with, except just starting with the base regex and exhaustively brute-force trying all possible variations on the regex grammar, and asking if that is the regex I started with.

You could probably do this brute force, but it's not gonna be pretty or easy or trivial.

Things that Rhino needs some help with in order to decode a "noalnum" string:

1. global object needs to be referenced by a variable named "window" (duhh)
2. need "atob" and "btoa" functions
3. the "toString" function on the global/window object needs to return "[object Window]" instead of "[object Global]"
4. The Array prototype needs a "filter" that doesn't have to do anything in particular other than be a function, and also have (on the function object itself) a toString method that returns the sort of string Firefox returns ("function filter () {\n [native code]\n}")
5. The String prototype needs a working "fontcolor" function (trivial)
6. The global/window "Date" function has to be replaced by a function that just returns a random Javascript-style date string (this is due to a NullPointerException bug in the Rhine Date() function)

I think that's pretty much it.