[ic] Allowing a particular domain access to content

Mon May 24 20:03:29 UTC 2010

On 25/05/10 02:05, Paul Jordan wrote:
>>> Is there a way to allow only a particular external domain to access
>>> content from an Interchange website when one does not have control of
>>> the external domain?
>>>
>>> Site1 grabs stuff from Site2, and Site2 doesn't want to show this
>>> content to anyone other than Site1. I have complete control over Site2,
>>> and limited (practically zero) control of Site1.
>>>
>>> I've been controlling access using environment variables, but I'm pretty
>>> sure all environment variables can be faked.
>>
>> Environment variables can't be faked, but http headers (which control
>> some of the variables, such as referrer) can be.  I think what you're
>> referring to here is having a third person actually presented the
>> content in a browser and checking the referrer, in which case you have
>> the distinction of presenting the content to anyone as long as they are
>> also on the other site.  In that case the only way that I know of is to
>> check the referrer which can (as you point out) be spoofed.
>>
>> If, on the other hand, the other site is fetching the content from you
>> directly and displaying it to the browser (by actually pulling the
>> content through their own server) then you can check the IP address to
>> verify that the connection is coming from that server.
> 
> Site1 is displaying content through an iframe. I checked and the only
> IP's that are in [env] are the visitor, and Site2, Site1 is only
> mentioned in the referrer. Since the iframe is really called from the
> visitors browser I guess there is really not much I can do.
> 
> Is there anything I can suggest to these people that would make it more
> plausible to achieve this type of security?

Not really, If you can control the URL called by Site1 you can make the
page name sufficiently long and obscure so that it's near impossible to
guess it, but someone viewing your site through Site1 need only check
the page source of the enclosing frame to determine the long obscure URL.

If it is easy to tell Site1 to change this URL (ie Site1 has an
automated means of doing so without user intervention) then put in an
automated script to change the page name to something new and still
sufficiently random once a day, or hour, or whatever.

Otherwise, it should be possible to use Javascript to check the URL of
the top frame and perform some action depending on whether it is correct
or incorrect.  Kind of the reverse of the frame killer that Rene suggested.

Peter