4

Let's say we have two websites: A and B.

On website A there is a embeded iframe which is linked to website B (website A is serving website B using iframe).

Is there a way that website B knows that website A is serving it, and how to get that information using PHP? I want to know domain name and IP address of website A.

So my problem is that I don't know in advance where my website is going to be served, but I only want to find out who is serving it.

There is a way to provide URL get parameter to the iframe url. For example

<iframe src="http://mywebsite.com?url=commingFromWebsiteB"></iframe>

This way I can check if this iframe is embeded on website B using the following code:

$sourceWebsite=$_GET['url'];

But the problem is that admin of website B, can copy and paste this iframe on website C and leave this url parameter to be equal to 'commingFromWebsiteB' even if iframe is now displayed on website C which is not my partner.

Thx!

MrD
  • 2,423
  • 3
  • 33
  • 57
  • http://stackoverflow.com/questions/15662627/how-to-know-if-a-website-still-put-my-iframe-on-his-her-website –  Jul 13 '15 at 08:56
  • You can use some flag variable with the url as query string. – Sougata Bose Jul 13 '15 at 09:02
  • @maurize The problems are not the same. In the question you pasted, user knows the website where the iframe will be, so he can check it using cURl or any other method, and I don't know website URL nor IP address. My question said in sql language: _select all websites which are displaying my website using iframe._ – MrD Jul 13 '15 at 09:10
  • @b0s3 - I'm already doing that but I want additional security measure. – MrD Jul 13 '15 at 09:11
  • Add a token to the URL, i.e. **?token=someRand0mUn1qu3S7r1ng** – ggdx Jul 13 '15 at 09:27
  • @DanWhite I can do that, but again, that token will be sent from any other website which is not my partner website. I will examine the token, conclude that token exist and will serve the content, but I should not serve a content. – MrD Jul 13 '15 at 09:40

1 Answers1

1

Well you can check the referrer. Either by blacklisting or whitelisting. This example is for blacklisting if you know the "thief".

<script type="text/javascript">
if(document.referrer.indexOf("otherdomain.com") != -1) {
    window.location = "yourdomain.com/error.html";
}
</script>

on the other hand you can also create a whitelist in PHP and try to check before like this:

$show = false;
if (isset($_SERVER['HTTP_REFERER'])) {
    $array = parse_url($_SERVER['HTTP_REFERER']);
    if (strpos($array['host'], 'yourdomain.com') === false ){
        $show = false;
    } else {
        $show = true;
    }
}

if ($show == false){
    header('HTTP/1.0 403 Forbidden');
    exit('Forbidden');
}
Harald Doderer
  • 108
  • 5