Is there a way to securely know the originating server hosting an AJAX call?

Lets imagine that site A embeds a javascript file using a standard script tag pointing to server B. Next Site A makes a JSONP or AJAX request to a resource on server B. Is there anyway for Server B to definitively know that specific JSONP request originated from a user on Site A, and not a user on another site spoofing their HTTP REFERRER.

The only reason I think there is any realm of possibility is because site A started the communication with it's embedding of server B's javascript. In a way, couldn't this original communication act as a security handshake, allowing subsequent calls to pass through securely. But because the handshake was made through insecure means doesn't that prevent it from acting as a security handshake.

Any ideas of how this task can be accomplished? Every solution I can think up is broken by the notion that every element of an AJAX call can be faked.

I read http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html and Detecting Ajax in PHP and making sure request was from my own website but as far as I could tell they focused on ensuring the veracity of the user and not the ve开发者_如何学Goracity of the referrer.

Ajax over https you could if you wanted configure your server to require mutual authentication.

You could use Hash_chain to verify origin.

On page load generate X times hash from random and send last hash with initial request (script tag) e.g. Hash[100]. every next request send with Hash[Last-1].

On server B check whether hash(resieved_hash) is same as last one.