doulong6761 2014-02-26 00:49
浏览 227
已采纳

嵌入式iframe - 验证GET请求的来源/来源

I'm seeking to utilize an iframe to embed some html in customers websites that will list some information from my database using a simple GET request like so:

// customer would copy/paste this code onto their site
// value of key would be unique key for that customer

<iframe src='http://mydomain.php/api?key=1234j1lj1hj124kh' ></iframe>


Now I want to be able to verify that the request is coming from customer that owns the key, and not just anybody who copy/pasted that code onto their page.

I've done some research and found that $_SERVER['HTTP_REFERRER'] can give me this information, but with mostly mixed reviews saying it isn't always reliable (and most of the questions I came across were a couple years old).

QUESTIONS

1.) Is this method of using an iframe/GET request the standard way of achieving this functionality?

2.) Is there a standard, SECURE and RELIABLE way to verify the origin of the GET request?

  • 写回答

3条回答 默认 最新

  • doudou890510 2014-03-04 12:47
    关注

    Unfortunately this is not possible in a secure way.

    To answer your questions: In fact this is not a standard functionality itself. I mean, there is no standard secure way of allowing content to be loaded only through iframes from allowed websites.

    There are three parties in this communication:

    1) Your website

    2) Customer website that loads your website's data in an iframe

    3) End user visiting customer website

    When an end user visits customer web site, he will perform a GET request to your website through the iframe. At this connection, 2nd party above (customer website) is not involved. In this case, there is no reliable way for your website to know whether this request is coming through the iframe or not. Only favor that party 2 does here is adding HTTP_REFERER header to end-user's request. But this header cannot be trusted.

    For example, if I want to abuse this and show that content on my website, I can create a proxy page on my application, where I perform a back-end call to your app (adding a valid HTTP_REFERER header) and display results back.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行