Is there a way to get the URL of a website requesting a script with PHP?

Question

Example:

A website with url https://website1.com requests a script from https://website2.com. In order to allow access to the script, an id must be passed as a parameter to the request:

<script type = "application/javascript" src = "//website2.com/?id=a0cF-p8v"></script>

Now, Website2 uses the id to get from the database the URL of the website it belongs to. Then, it compares the URL fetched from the database to the one I'm trying to get.

Questions:

Is there a (foolproof) way to get the URL of a website requesting a script with PHP?
Is this concept actually secure?

Can you describe better the actual problem that you're trying to solve with this? — Federkun, Dec 29 '17 at 18:39
There isn't any information about the requesting host sent up in an HTTP request. Even so, doesn't matter here because the site isn't requesting the script, the user's browser is. The requesting IP will be the user's IP. — Joe, Dec 29 '17 at 18:41
Also, you ask "is (this) secure?" I don't see what you're trying to secure in the first place. — Joe, Dec 29 '17 at 18:41
@Joe I'm making a third party script that only registered websites should be able to access. The only website I have control of is `Website2`. — Angel Politis, Dec 29 '17 at 18:42
@AngelPolitis the `id` isn't enough to do that? No valid id, no script? — Joe, Dec 29 '17 at 18:50
It is, but if someone looks at the source code of `Website1` and copies the script to their _(non-registered)_ website, the `id` would be valid again, while the website using would be irrelevant. — Angel Politis, Dec 29 '17 at 18:52
Json web tokens, issue each site a secret or public key which is a hash_hmac of your private key, get them to encode id with the individual users IP as part of the payload, this way you sign/verify both the site and the user requesting the script, if the id is used it wont work. More hassle setting up but you cant secure it anyother way, the id needs to be regenerated/signed for every request. If you want it secure.. else just check the referer :/ — Lawrence Cherone, Dec 29 '17 at 18:56
I'm talking about the `HTML` code @FunkFortyNiner. If they copy the `script` tag I have given in the question, the `id` is still valid and they get access to its functionality, regardless of whether the `JS` code is obfuscated or not. — Angel Politis, Dec 29 '17 at 18:58
@LawrenceCherone I'm not trying to prevent clients _(end users)_ from having access to the `script`. That `script` should work if a trusted, registered website loads it. If a foreign one copies the `script` tag to their `HTML` code it shouldn't load. The website's visitor have nothing to do with it. — Angel Politis, Dec 29 '17 at 19:04
How can I obfuscate the `HTML` code of a website I don't control? That website includes the `script` tag to their code and my app starts working @FunkFortyNiner. — Angel Politis, Dec 29 '17 at 19:08
@AngelPolitis You should be as their the ones executing it, you should also be thinking about trying to protect from *offline* use. If you want a *foolproof* way you need to sign (asymmetric) every request, like a CSRF token, else its just a string someone can copy and then mock the request. — Lawrence Cherone, Dec 29 '17 at 19:10
oh, well that's a whole different ballgame then. You can have a look at https://stackoverflow.com/questions/165975/determining-referer-in-php but like I said in response to Laurence's comment earlier, `$_SERVER['HTTP_REFERER']` can be spoofed. — Funk Forty Niner, Dec 29 '17 at 19:10
$_SERVER['HTTP_REFERER'] can be spoofed, but it will not be by normal users using a normal browser to view content. So it is "good enough" to prevent things like image links placed on an unauthorized web site. — Dave S, Dec 29 '17 at 19:23

Is there a way to get the URL of a website requesting a script with PHP?

0 Answers0