3

I have a page called test2.php that is loaded into test1.php via iframe.

I would like to implement a whitelist to make sure that test2.php is only accessed via test1.php. I noticed that the parent page URL (test1.php) is passed as the HTTP_REFERER for the child iframe page (test2.php).

This holds true in IE7/8/9 and the versions of Chrome and FF I'm using.

So, in this case, as real security is not a factor, is testing the HTTP_REFERER field reliable to check the parent page's identity? Are there browsers that do not set this header for iframes, or is there an edge case I'm not taking into consideration?

I realize this is not hack-proof, as header spoofing is trivial, but security is not an issue. I simply want to control (more or less) on what pages test2.php is embedded.

Thank you for your time.

Andreas Louv
  • 46,145
  • 13
  • 104
  • 123
siliconrockstar
  • 3,554
  • 36
  • 33
  • 1
    See http://stackoverflow.com/questions/165975/determining-referer-in-php HTTP_REFERER isn't reliable, but might be reliable enough for you. Might be better to get test1.php to start and set something in a session or set a cookie that test2.php looks for – cosmorogers Dec 15 '12 at 22:35
  • Yeah that's a good point, didn't think about sessions. Only problem is I won't always have control over the parent page - I need to be able to 'loan out' the content of the iframed page to other sites. Hence, why I'd like to verify the parent page's identity :) – siliconrockstar Dec 15 '12 at 22:59
  • 1
    If you want to verify that the user came from a third party site, require that they include their identity and a unique validation token in the user's request to you. When you get the request, look up the identity and make sure it's valid, then make a request to them to ensure that they issued the unique token. This will require more work on their end, but it will ensure that the request did come through them at some point. You'll also want to make sure that the tokens are invalidated after one use. – Charles Dec 15 '12 at 23:07

1 Answers1

0

You can use JavaScript - at the beginning check if your test2.php file is in iFrame

var isInIframe = (parent !== window);

then you can get & verify parent url

function getParentUrl() {
var isInIframe = (parent !== window),
    parentUrl = null;

if (isInIframe) {
    parentUrl = document.referrer;
}

return parentUrl;

}

Konradowski
  • 1
  • 2