There are two different web applications Host and App which are hosted separatedly, i.e. in particular on different domains. App is not designed to be accessed directly. Rather users are expected to visit Host which embeds App as an IFrame. While App is fully trusted, Host is more likely to get compromised, and shouldn’t be able to access confidential information intended only for App.
In several situations App must generate URLs that ultimately redirect to a certain App page embedded on the Host domain, but also pass on confidential information directly to App. The URLs need to be self sufficient, i.e. they must work in a newly set up browser without any history or cached data.
Question: Are there any best practices or recommendations on how to pass such information in a secure manner?
As a side note I can see that there are other, maybe even more critical security concerns in a setup like this, e.g. phising. Comments on those are welcome, too, but my main concern is building URLs like described above.