Hmm, I'm interested with 
shinkan method of hiding the url, it came to me that why not use MP plugin to deliver the url string? This can be single flow process like below:
1)Peer: connect to host
2)Peer: on joined room, send message <browser.URL>
3)Host: on peer message, compare message with whitelist array, if true, send some screwed message.
4)Peer: on message, load the message into array, then compare with browser.URL
5) If equal, disconnect from signal, then start game.
Step 3&4 is redundant check. I think it would be hard for the thief to fabricate "send message", there's probably loophole here, but for me it's an interesting idea. The drawback would be having an always online host to enable the checking. What do you guys think?
I like the "flood with ads" idea!
Three reasons:
1/if the user is offline (yep, C2 games work offline too in the browser), the check is impossible, and prevent them from playing it feels plain like a cheap shot.
2/host is mandatory, as well as finding a room, which would involves using the scirra signaling server, sure, it is never a big problem, but feels really bad to involve another middleground, also that means having an host connected at all time, which is also another risk.
3/No webRTC support on some browsers, no MP plugin, no nothing
If you want to go as far as that, just use an ajax request to a file at the root of your domain, that would stop I think most of them, but again, still the point 1 applies here.