4

Possible Duplicate:
How to limit display of iframe from an external site to specific domains only

What i want is simple. I want to prevent my website to be called from domains I did not approve. Let's say only a.com and b.com can have a page with an iframe calling my webapplication wwww.mydomain.com/myapp.php. How can I accomplish this?

1st I was thinking about my web appplication checking the domain of the iframe's parent. Maybe that is possible, but certainly not easy, because of cross-domain restrictions.

2nd I was thinking of having the requesting page on a.com and b.com execute a small PHP-script first which writes some info to a file or my database, so I know the requesting page is on one of the approved domains. The question is how to call and when to execute the script?

Is placing a script tag or image tag with a src attribute a good idea? That looks like a fairly simple solution to me and no PHP is required. The requesting page can be pure HTML.

Should it look like this:

<img src="http://wwww.mydomain.com/myapp.php" style="width: 0px; height: 0px;" alt="Not an image"  title="Not an image"/>

What do you advice?

Community
  • 1
  • 1
RWC
  • 4,697
  • 2
  • 22
  • 29

4 Answers4

5

This is how I did it and it works like a charm. The average user won't be able to access my web application.

Nothing needs to be done on the approved domains. Sweet!

Thanks to dda and jackJoe ( How to limit display of iframe from an external site to specific domains only )

<?php

  define('MSG_NO_ACCESS', 'No access');

  $acceptedDomains = array('mydomain.com', 'a.com', 'b.com');
  $referer=get_domain($_SERVER['HTTP_REFERER']);

  if(!$referer || !in_array($referer,$acceptedDomains))
  {
     header('HTTP/1.0 403 Forbidden');
     exit(MSG_NO_ACCESS);
  }

function get_domain($url)
{
  $pieces = parse_url($url);
  $domain = isset($pieces['host']) ? $pieces['host'] : '';
  if (preg_match('/(?P<domain>[a-z0-9][a-z0-9\-]{1,63}\.[a-z\.]{2,6})$/i', $domain, $regs)) 
  {
     return $regs['domain'];
  }
  return false;
}

?>

Community
  • 1
  • 1
RWC
  • 4,697
  • 2
  • 22
  • 29
2

This question has already been asked. How to limit display of iframe from an external site to specific domains only

Basically you can, depending on your web server, you will need to restrict access.

With Apache this can be done in a .htaccess file

With IIS this can be done in 'IP Address and Domain restrictions'

If your on some shared hosting platform you might not have all that much control.

Community
  • 1
  • 1
will
  • 944
  • 9
  • 18
  • My bad. I should have search first before I asked my question. But your answer is very helpful. Thank you. – RWC May 18 '12 at 20:35
1

A little PHP injecting some JS can go a long way.

<?php
if(array_key_exists('HTTP_REFERER',$_SERVER)){
  $referer=$_SERVER['HTTP_REFERER'];
} else {
  $referer='';
}
echo "<script type='text/javascript'>
var referer='".$referer."';
</script>
";
?>

This will inject the HTTP_REFERER into a "referer" JS variable. Now with that and the following JS code, you're good to go:

if (top === self) {
// not in a frame, no worries
} else {
// in a frame, decide whether referer is one of the guys allowed to display your web site...
// nuke the content, redirect, display a goatsee pic, etc
}
dda
  • 6,030
  • 2
  • 25
  • 34
0

There's nothing you can do to prevent this. Anyone with a server proxy can grab your HTML and re-serve it up as their own.

Rule #1: if you don't want people stealing your stuff on the internet, don't put it online.

Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
  • 1
    I am sure you are right. Maybe I should have said "prevent the average user" from simply calling my website in an iframe. – RWC May 18 '12 at 20:38