-4

I need to prohibit access to my js file except for some website. eg I have js for special external website so this website can load my js

but if other website wants to load this js, it should get error message

How can I do it? please help

Note!

in fact, this request from external website goes to my php and php creates js file

Can php check the host name of website which made request?

Cerbrus
  • 70,800
  • 18
  • 132
  • 147
xyz
  • 41
  • 6
  • 1
    There's really no way to do this. – Pointy Sep 18 '15 at 14:24
  • You can't. If a user can open your site, he can access your JS file. If he can access your JS file, he can do _anything_ he wants with it. – Cerbrus Sep 18 '15 at 14:24
  • there's no 100% reliable way of doing this. the JS **HAS** to be downloadble for authorized users to be able to use, and there's no practical way to detect who's authorized and who isn't that can't be faked/forged/spoofed. – Marc B Sep 18 '15 at 14:24
  • If you mean stopping ``, then you can check the Referrer header on the server. – Zirak Sep 18 '15 at 14:25
  • @Zirak: Which [can be spoofed](http://chat.stackoverflow.com/transcript/message/25795174#25795174). – Cerbrus Sep 18 '15 at 14:26
  • @Zirak Doing that will break any clients that do not pass a referrer header. – Phylogenesis Sep 18 '15 at 14:26
  • @MarcB: That's not very true; you can easily protect the JS behind an authentication cookie. However, you cannot stop copy-paste. – SLaks Sep 18 '15 at 14:26
  • @Phylogenesis Which ones don't? @Cerbrus That's why I conditioned on it coming just from the `script` tag – Zirak Sep 18 '15 at 14:27
  • @SLaks: maybe so, but OP's saying it's a 3rd party script, which'd require an SSO system – Marc B Sep 18 '15 at 14:27
  • We need OP (@xyz) to elaborate on his question: If he wants to stop hotlinking (`script src` and the likes), then this question is not a duplicate. If he wants to stop people from copy pasting, then it is. – Zirak Sep 18 '15 at 14:29
  • @xyz, can you add the PHP code that returns the JS file to your question? – Cerbrus Sep 18 '15 at 14:39

1 Answers1

3

You can't prevent users from using the file once they had access to it.

If a user can open your site, he can access your JS file.
If he can access your JS file, he can do anything he wants with it.

Basically, anything you send to the client, be it HTML, css, images or JS files can be saved, modified or re-used. There's no reliable way of preventing that other than not sending the files to unauthorized users.
As soon as a user is authorized, they can do whatever they want with the files that they receive.

That said, since you're using php to serve the JS file, you can probably check the referrer. No idea how, though, since I'm no php programmer.

Cerbrus
  • 70,800
  • 18
  • 132
  • 147