download201401 2012-12-15 22:32 采纳率: 0%
浏览 102

PHP - 使用HTTP_REFERER来测试iframe的父页面是否可靠?

I have a page called test2.php that is loaded into test1.php via iframe.

I would like to implement a whitelist to make sure that test2.php is only accessed via test1.php. I noticed that the parent page URL (test1.php) is passed as the HTTP_REFERER for the child iframe page (test2.php).

This holds true in IE7/8/9 and the versions of Chrome and FF I'm using.

So, in this case, as real security is not a factor, is testing the HTTP_REFERER field reliable to check the parent page's identity? Are there browsers that do not set this header for iframes, or is there an edge case I'm not taking into consideration?

I realize this is not hack-proof, as header spoofing is trivial, but security is not an issue. I simply want to control (more or less) on what pages test2.php is embedded.

Thank you for your time.

  • 写回答

1条回答 默认 最新

  • dsdukbc60905239 2014-11-04 14:20
    关注

    You can use JavaScript - at the beginning check if your test2.php file is in iFrame

    var isInIframe = (parent !== window);

    then you can get & verify parent url

    function getParentUrl() {
var isInIframe = (parent !== window),
    parentUrl = null;

if (isInIframe) {
    parentUrl = document.referrer;
}

return parentUrl;

    }

    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题