OrganizedFellow Posted April 5, 2016 Posted April 5, 2016 Hiya friends! A friend running his website on SquareSpace wants to link to a PHP form via iframe. SquareSpace does not allow/support PHP, I guess? https://answers.squarespace.com/questions/64124/linking-to-externally-hosted-php-form.html So I help my friend out and have it working as needed. I've not used iframes since the days of pixel precise table layouts Should I be concerned with some how securing the iframe source to prevent hotlinking or something? For simple testing, I have the page here: http://www.jjaleman.com/thm/ If you view the source, you will see the iframe src is http://www.jjaleman.com/thm/rewards.php How can I make sure (100%) that the rewards.php scripts is ONLY being called from my client URL?
arjen Posted April 5, 2016 Posted April 5, 2016 Hi, it is pretty much impossible to 100% secure it since most stuff can be (easily) spoofed. If the content is publicly accessible it's possible to access it. That's the baseline rule of internet content security. You can of course build some barriers to make it harder. There are several options to throw up some barriers: JavaScript checking the parent hostname (this can be spoofed) Mess around with the referer stuff in .htaccess (can be spoofed too) Check how ProcessWire denies its access to other iframe My opinion: you can throw as many barriers as you like, but especially the people who want access are the people to know and overthrow the barriers you build. Do 2
pwired Posted April 5, 2016 Posted April 5, 2016 There exist a lot of htaccess rules for that. Example:Header set X-Frame-Options DENYHeader always append X-Frame-Options SAMEORIGIN https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options 2
kixe Posted April 5, 2016 Posted April 5, 2016 By default you cannot frame a page running under PW from other domain, because X-Frame-Options is set to SAMEORIGINIn your case you could change the directive to X-Frame-Options ALLOW FROM {uri}Unfortunately this is not supported in all browsers (Chrome?). You have to try out.Maybe best solution is to move to a host which supports PHP and PW of course. 1
OrganizedFellow Posted April 6, 2016 Author Posted April 6, 2016 Maybe best solution is to move to a host which supports PHP and PW of course. He's quite happy with the service he is using. I built a site for him years ago when I used ExpressEngine, and he liked it! Maybe I can convince him later 1
Recommended Posts