[ic] Allowing a particular domain access to content
Paul Jordan
paul at gishnetwork.com
Mon May 24 14:05:04 UTC 2010
>> Is there a way to allow only a particular external domain to access
>> content from an Interchange website when one does not have control of
>> the external domain?
>>
>> Site1 grabs stuff from Site2, and Site2 doesn't want to show this
>> content to anyone other than Site1. I have complete control over Site2,
>> and limited (practically zero) control of Site1.
>>
>> I've been controlling access using environment variables, but I'm pretty
>> sure all environment variables can be faked.
>
> Environment variables can't be faked, but http headers (which control
> some of the variables, such as referrer) can be. I think what you're
> referring to here is having a third person actually presented the
> content in a browser and checking the referrer, in which case you have
> the distinction of presenting the content to anyone as long as they are
> also on the other site. In that case the only way that I know of is to
> check the referrer which can (as you point out) be spoofed.
>
> If, on the other hand, the other site is fetching the content from you
> directly and displaying it to the browser (by actually pulling the
> content through their own server) then you can check the IP address to
> verify that the connection is coming from that server.
Site1 is displaying content through an iframe. I checked and the only IP's
that are in [env] are the visitor, and Site2, Site1 is only mentioned in the
referrer. Since the iframe is really called from the visitors browser I
guess there is really not much I can do.
Is there anything I can suggest to these people that would make it more
plausible to achieve this type of security?
Paul
More information about the interchange-users
mailing list