There is a php script that is executed by the user in the iframe , the Sprint is on one domain, and the iframe on another. I need to make a check on the user's domain, if such a domain exists, then the script is executed.

The problem is that not one $_SERVER element can not get the remote client domain. Except of course HTTP_REFERER . All the rest show information on the server on which the script itself is running (even REMOTE_HOST ).

client.ru

 <iframe style="border: 0px; " src="http://server.ru/lib.php" width="100%" height="100%"></iframe>

server.ru

 $url = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); $urlcheck = тут массив с урлами разрешенных клиентов; if ($url == $urlcheck) { echo = 'выполняем скрипт'; }

I don’t really like HTTP_REFERER myself, because it can easily be changed, but how else can I check the client’s domain?

2 answers 2

To get any data of the parent window in the context of the Iframe (if the domains do not match, of course), the code on the side of the parent window must be added. The data transfer itself can be organized via postMessage , crossdomain ajax, etc. In your case, you can use any html node that generates an HTTP request to get the domain:

 <!--parent page --> <script> var src='www.yourdomain.com?domain=' + encodeURIComponent(top.document.domain); (new Image()).src = src; </script>

  • Can you write an example with a node based on my connection? - Max Vin
  • It turns out is generated get with a domain name which I already check. But, after all, a person does not need to connect the same i-frame on another unresolved domain and indicate clearly www.yourdomain.com?domain=domain1.ru having cut this handler from javascript. - Max Vin
  • Yes, like any client code, the user has access to it and, accordingly, can edit, redefine variables, etc. You can obfustsirovat, you can even encrypt . Only from the server side you will not be able to do it - mkardakov

You can still see this $_SERVER['HTTP_ORIGIN'] , which will be just what you need. But this key is present only at the moment when the iframe opens the page.