I'm working on a web based CRM system that has limited capabilities to extending it's functionality. To extend the functionality, I've installed apache with PHP on the same server, from the php code, I have access to the CRM database. I can run the page served by apache by adding a iframe in the CRM system, grabbing a ID from the URL and passing it to the iframe using the following javascript:
<div id="mydiv">
<script>
function getUrlParam( name, url ) {
if (!url) url = location.href;
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( url );
return results == null ? null : results[1];
}
console.log(window.location.href)
var iframe = document.createElement('iframe');
var html = 'http://192.168.0.2:8000/Map/' + getUrlParam('ID',window.location.href);
iframe.width = 800
iframe.height = 800
iframe.frameBorder = "0"
iframe.src =encodeURI(html);
document.getElementById("mydiv").appendChild(iframe);
console.log('iframe.contentWindow =', iframe.contentWindow);
</script>
</div>
This all works very well, but this aprouch opens up a security issue: To see anything in the CRM system, you need to be logged in. If someone would know the url/port of the apache server, they can see whatever they like without having to login.
What would be the best way to overcome this security issue without relying on "Security through obscurity" ? Is there a way to check that the iframe source is only loaded when it's indeed a iframe or can I check for cookies from the parent site? I have no access to the username/password of the loggedin user on the CRM side.
The CRM users only use chrome or firefox by the way.
