OrganizedFellow Posted April 5, 2016 Share Posted April 5, 2016 Hiya friends! A friend running his website on SquareSpace wants to link to a PHP form via iframe. SquareSpace does not allow/support PHP, I guess? https://answers.squarespace.com/questions/64124/linking-to-externally-hosted-php-form.html So I help my friend out and have it working as needed. I've not used iframes since the days of pixel precise table layouts Should I be concerned with some how securing the iframe source to prevent hotlinking or something? For simple testing, I have the page here: http://www.jjaleman.com/thm/ If you view the source, you will see the iframe src is http://www.jjaleman.com/thm/rewards.php How can I make sure (100%) that the rewards.php scripts is ONLY being called from my client URL? Link to comment Share on other sites More sharing options...
arjen Posted April 5, 2016 Share Posted April 5, 2016 Hi, it is pretty much impossible to 100% secure it since most stuff can be (easily) spoofed. If the content is publicly accessible it's possible to access it. That's the baseline rule of internet content security. You can of course build some barriers to make it harder. There are several options to throw up some barriers: JavaScript checking the parent hostname (this can be spoofed) Mess around with the referer stuff in .htaccess (can be spoofed too) Check how ProcessWire denies its access to other iframe My opinion: you can throw as many barriers as you like, but especially the people who want access are the people to know and overthrow the barriers you build. Do 2 Link to comment Share on other sites More sharing options...
pwired Posted April 5, 2016 Share Posted April 5, 2016 There exist a lot of htaccess rules for that. Example:Header set X-Frame-Options DENYHeader always append X-Frame-Options SAMEORIGIN https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options 2 Link to comment Share on other sites More sharing options...
kixe Posted April 5, 2016 Share Posted April 5, 2016 By default you cannot frame a page running under PW from other domain, because X-Frame-Options is set to SAMEORIGINIn your case you could change the directive to X-Frame-Options ALLOW FROM {uri}Unfortunately this is not supported in all browsers (Chrome?). You have to try out.Maybe best solution is to move to a host which supports PHP and PW of course. 1 Link to comment Share on other sites More sharing options...
OrganizedFellow Posted April 6, 2016 Author Share Posted April 6, 2016 Maybe best solution is to move to a host which supports PHP and PW of course. He's quite happy with the service he is using. I built a site for him years ago when I used ExpressEngine, and he liked it! Maybe I can convince him later 1 Link to comment Share on other sites More sharing options...
Recommended Posts