[ic] Allowing a particular domain access to content

[Paul Jordan]

>> Is there a way to allow only a particular external domain to access
>> content from an Interchange website when one does not have control of
>> the external domain?
>>
>> Site1 grabs stuff from Site2, and Site2 doesn't want to show this
>> content to anyone other than Site1. I have complete control over Site2,
>> and limited (practically zero) control of Site1.
>>
>> I've been controlling access using environment variables, but I'm pretty
>> sure all environment variables can be faked.
>
> Environment variables can't be faked, but http headers (which control
> some of the variables, such as referrer) can be.  I think what you're
> referring to here is having a third person actually presented the
> content in a browser and checking the referrer, in which case you have
> the distinction of presenting the content to anyone as long as they are
> also on the other site.  In that case the only way that I know of is to
> check the referrer which can (as you point out) be spoofed.
>
> If, on the other hand, the other site is fetching the content from you
> directly and displaying it to the browser (by actually pulling the
> content through their own server) then you can check the IP address to
> verify that the connection is coming from that server.

Site1 is displaying content through an iframe. I checked and the only IP's 
that are in [env] are the visitor, and Site2, Site1 is only mentioned in the 
referrer. Since the iframe is really called from the visitors browser I 
guess there is really not much I can do.

Is there anything I can suggest to these people that would make it more 
plausible to achieve this type of security?

Paul