2

I have a widget (built with PHP on an Apache webserver) that is embedded on webpages of other sites.

I'd like to render the widget only on pages for which the widget was built.

For example, if the widget is for site example-a.com and it is embedded on domain example-b.com, I want it is not shown on example-b.com. Is it possible to do something like this?

Maybe using http_referer I can solve the problem?

To embed the widget I use an iframe, but I'm not sure the http_referer isn't hackable.

The iframe is something like this:

<iframe id="WidgetContent" src="http://127.0.0.1:8000/widget/1" frameborder="0" height="600"></iframe>

So no javascript is used.

Any advices on this? Thank you!

Aerendir
  • 6,152
  • 9
  • 55
  • 108
  • It is possible. But not sure how you want to implement it. – Sougata Bose Nov 23 '15 at 09:40
  • widget uses PHP only or uses javascript also? You can try to define some variable/token in `example-a.com` website and check that before displaying the widget. As you will not find that variable/token in `example-b.com`, there it will not be displayed. – Ashish Choudhary Nov 23 '15 at 09:43
  • @Sougata, I have no idea of how to implement it: I'm only thinking about it, but not yet tryied to implement it: from the page called via iframe I don't know if I have the variable set. – Aerendir Nov 23 '15 at 09:47
  • @AshishChoudhary, no, I don't use javascript, but anyway, putting a tag on the target page isn't an option as this makes the embedding of the widget too much difficult for the end user: I want to maintain simplicity. – Aerendir Nov 23 '15 at 09:47
  • We use tokens to determine if the widgets are generous. When the widget is loaded, give a API call to your server and see if the token matches the token in the database and if yes check if the Referer URl is same as in your Database for that token. If its not validated then do now show the widget. And make sure to use a fast API as you do not want the other website to increase loading time because of this widget – Ashish Choudhary Nov 23 '15 at 09:54
  • @AshishChoudhary The token is not an option, as it will be ever be visible. If the ligitimate site example-a.com puts the widget with the token on its webpages, the non-legitimate example-b.com can read the token on example-a.com and use it also on its non-legitimate pages. So the use of the token seems unhelpful to me, doesn't it? – Aerendir Nov 23 '15 at 10:03
  • 1
    HTTP-REFERER is a hackable item since it is sent in the HTTP header. – php_coder_3809625 Nov 23 '15 at 10:04
  • @php_coder_3809625, yes, I know it is... For this reason I'm asking how to be sure how to know if the iframe is loaded from a particular, legitimate domain... Any solutions? – Aerendir Nov 23 '15 at 10:05
  • For a bit of information, are you using apache, nginx or other web servers? – php_coder_3809625 Nov 23 '15 at 10:05
  • @php_coder_3809625, I'm using Apache... Why? – Aerendir Nov 23 '15 at 10:06
  • I remember seeing something about referencing a domain in `$_SERVER` by apache. – php_coder_3809625 Nov 23 '15 at 10:07
  • Do you refer to `REMOTE_HOST`? http://stackoverflow.com/q/3812166/1399706 This maybe a possible solution if it works with iframes... – Aerendir Nov 23 '15 at 10:10
  • 2
    @Aerendir — REMOTE_HOST is the hostname of the *client* (i.e. the computer the browser is running on) not the hostname of the website hosting the HTML document containing the frame. – Quentin Nov 23 '15 at 10:11
  • https://stackoverflow.com/questions/2297403/http-host-vs-server-name `$_SERVER['SERVER_NAME']`, but it is dependent on your config. – php_coder_3809625 Nov 23 '15 at 10:17

1 Answers1

1

You can specify which sites are allowed to display a page in a frame using the X-Frame-Options HTTP response header.

X-Frame-Options: http://example-a.com
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • But this should be set on the server of example-a.com, doesn't it? If this is the case, it isn't an option as it too difficult and not considerable as possible solution. – Aerendir Nov 23 '15 at 10:12
  • @Aerendir — No. It should be set on the server of the page that is to be displayed in the frame. – Quentin Nov 23 '15 at 10:14
  • Anyway, if I have a lot of websites this comes a very long list. But if could set them dynamically, querying a database... – Aerendir Nov 23 '15 at 10:15