dongzha2525 2012-06-22 04:00
浏览 47

iframe的远程主机

I have iframes over various websites. In my js, I'm hitting against a php file in a different domain. Is there a way to get the domain name for the server on which my iframes are hosted. (This is to prevent others hitting against my php file).

Example. I have a domain called www.domain.com and another call www.phpscript.com If my website is embeded in yahoo. Is there any way that I can find out that my js calls are coming from www.domain.com and not some dodgy website?

$_SERVER['REMOTE_HOST'] and $_SERVER['REMOTE_ADDR'] would not work in this situation, as REMOTE_ADDR would provide the users IP and REMOTE_HOST would return yahoo.

  • 写回答

2条回答 默认 最新

  • dqunzip3183 2012-06-22 04:17
    关注

    EDIT:

    The OP wanted to do the reverse of what I initially interpreted the question as.

    To prevent a site being accessed when it IS NOT in an iframe, you can use:

    <script type="text/javascript">
if (window.top === window.self) {

    window.self.location = 'about:blank'; 
    window.self.onload=function(evt){ 
        window.self.location = 'about:blank'; 
        document.body.innerHTML=''; 
    };
    document.body.innerHTML='';
}
</script>

    This requires JavaScript to be enabled, and will blank the page and redirect to about:blank (nothing) if the page is accessed outside of an iframe.

    To preventing a page from being accessed when it IS in an iframe (original answer, still useful).

    You can send the header X-Frame-Options: SAMEORIGIN (what Google does) to ask the browser to not display the content in a frame that's not on your domain.

    PHP

    header('X-XSS-Protection: 1; mode=block');
header('X-Frame-Options: SAMEORIGIN');

    You could additionally work around this with JavaScript to stop access to the site through iframes:

    if (window.top !== window.self) { 
    window.self.location = 'about:blank'; 
    window.self.onload=function(evt){ 
        window.self.location = 'about:blank'; 
        document.body.innerHTML=''; 
    }; 
    document.body.innerHTML='';
}

    Both of these methods rely on the browser support, but it's better than nothing.

    评论

报告相同问题?

悬赏问题

  • ¥15 求帮我调试一下freefem代码
  • ¥15 matlab代码解决,怎么运行
  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?