[ic] Allowing a particular domain access to content

Paul Jordan paul at gishnetwork.com
Mon May 24 22:02:00 UTC 2010

> On 25/05/10 08:12, Gert van der Spoel wrote:
>> I think the problem with this is that the parent/top window location 
>> details
>> are not accessible via javascript in the iframe.
>> www.domain1.com  with iframe to www.domain2.com I believe that 
>> domain2.com
>> then is not allowed to access the location details.
>> But you could perhaps make <iframe src="... " have a scripted part, which
>> uses the parent location (so generated on the side of the iframe) .. that
>> script could for example generate a code which contains the parent URL 
>> and a
>> timestamp .. On your side you could decrypt this and check the timestamp 
>> to
>> be within a certain boundary ... In case someone finds the link it would 
>> not
>> work anymore of that boundary (bit like Peters suggestion above).
>> Sounds like there has to be an easier way :)
> Well, if you can get site1 to cooperate that well then what you could do
> is this:
> You and site1 have a "shared secret" (password or key).  Site1 maintains
> a counter, and sends teh value of that counter in a CGI variable.  Site1
> also does an MD5 hash of the counter value with the shared secret and
> sends the resulting hash to you in another CGI variable.
> On your end, you grab the counter value from CGI space, hash it yourself
> against the shared secret (which you both know but you don't transmit),
> and if the resulting hash is the same as the one that site1 sent you the
> request is valid.  You then add the counter value to a db record that
> invalidates that value for further use (so someone can't re-use the
> counter value and hash value from an old URL).
> To keep the database table short you could purge old counter values from
> it on occasion and just check that the counter value passed is greater
> than the minimum one in the db and does not exist in the db.

Yeah, it might be easier to build a time machine so I can get these guys can 
get out of 1999. Clearly there is no decent way that wouldn't require effort 
for this third party (because they won't put anything into it).

Thanks for everyone's advice though, if anything it has convinced me that 
just need to make an entirely separate system to present more sensitive data 
directly, with a log in.



More information about the interchange-users mailing list