Given a website (SiteA) where some JavaScript are making Ajax calls to a server. I want to make sure that all Ajax calls are originating from SiteA only. Http-referer can be spoofed so I turn to the JavaScript community. I'm thinking that the JavaScript can send its location. But are there some readonly identifiers that can be used to accomplish this?

It seems that Google does this somehow (e.g. in Maps) but couldn't find any good pointers on how they do it.

All suggestions are welcome, I'm a complete novice when it comes to Javascript.