[ic] Allowing a particular domain access to content

Gert van der Spoel gert at 3edge.com
Mon May 24 20:12:46 UTC 2010

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of Peter
> Sent: Monday, May 24, 2010 11:03 PM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] Allowing a particular domain access to content
> On 25/05/10 02:05, Paul Jordan wrote:
> >>> Is there a way to allow only a particular external domain to access
> >>> content from an Interchange website when one does not have control
> of
> >>> the external domain?
> >>>
> >>> Site1 grabs stuff from Site2, and Site2 doesn't want to show this
> >>> content to anyone other than Site1. I have complete control over
> Site2,
> >>> and limited (practically zero) control of Site1.
> >>>
> >>> I've been controlling access using environment variables, but I'm
> pretty
> >>> sure all environment variables can be faked.
> >>
> >> Environment variables can't be faked, but http headers (which
> control
> >> some of the variables, such as referrer) can be.  I think what
> you're
> >> referring to here is having a third person actually presented the
> >> content in a browser and checking the referrer, in which case you
> have
> >> the distinction of presenting the content to anyone as long as they
> are
> >> also on the other site.  In that case the only way that I know of is
> to
> >> check the referrer which can (as you point out) be spoofed.
> >>
> >> If, on the other hand, the other site is fetching the content from
> you
> >> directly and displaying it to the browser (by actually pulling the
> >> content through their own server) then you can check the IP address
> to
> >> verify that the connection is coming from that server.
> >
> > Site1 is displaying content through an iframe. I checked and the only
> > IP's that are in [env] are the visitor, and Site2, Site1 is only
> > mentioned in the referrer. Since the iframe is really called from the
> > visitors browser I guess there is really not much I can do.
> >
> > Is there anything I can suggest to these people that would make it
> more
> > plausible to achieve this type of security?
> Not really, If you can control the URL called by Site1 you can make the
> page name sufficiently long and obscure so that it's near impossible to
> guess it, but someone viewing your site through Site1 need only check
> the page source of the enclosing frame to determine the long obscure
> URL.
> If it is easy to tell Site1 to change this URL (ie Site1 has an
> automated means of doing so without user intervention) then put in an
> automated script to change the page name to something new and still
> sufficiently random once a day, or hour, or whatever.
> Otherwise, it should be possible to use Javascript to check the URL of
> the top frame and perform some action depending on whether it is
> correct
> or incorrect.  Kind of the reverse of the frame killer that Rene
> suggested.

I think the problem with this is that the parent/top window location details
are not accessible via javascript in the iframe.
www.domain1.com  with iframe to www.domain2.com I believe that domain2.com
then is not allowed to access the location details.

But you could perhaps make <iframe src="... " have a scripted part, which
uses the parent location (so generated on the side of the iframe) .. that
script could for example generate a code which contains the parent URL and a
timestamp .. On your side you could decrypt this and check the timestamp to
be within a certain boundary ... In case someone finds the link it would not
work anymore of that boundary (bit like Peters suggestion above).

Sounds like there has to be an easier way :)
> Peter
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

More information about the interchange-users mailing list