I have a page called test2.php that is loaded into test1.php via iframe.
I would like to implement a whitelist to make sure that test2.php is only accessed via test1.php. I noticed that the parent page URL (test1.php) is passed as the HTTP_REFERER for the child iframe page (test2.php).
This holds true in IE7/8/9 and the versions of Chrome and FF I'm using.
So, in this case, as real security is not a factor, is testing the HTTP_REFERER field reliable to check the parent page's identity? Are there browsers that do not set this header for iframes, or is there an edge case I'm not taking into consideration?
I realize this is not hack-proof, as header spoofing is trivial, but security is not an issue. I simply want to control (more or less) on what pages test2.php is embedded.
Thank you for your time.