1

I have a service and would like clients to be able to place this service on their website. I am looking at doing this by using an iframe. I will provide the code and they can just copy and paste the code to show the functionality. Each client will be discovered by the query string.

There is a concern that anyone can look at the source of the website, copy the iframe and add it to their own website therefore using the service and charging the original client. I obviously want to stop this.

Ideally, I would like to verify that the website that is using the iframe is linked to the client who registered to use the service. Is this possible at all? I know there are issues with cross domain security.

If it isn't possible, I guess I would need to create a widget instead.

asked Dec 11, 2012 at 1:18

1 Answer 1

2

For each client, have a whitelist of web sites that can embed the iframe. Then check the 'referer' header against that list whenever the page inside the iframe is loaded.

Or if http headers prove to be unreliable try using javascript, via parent.document.location.href

answered Dec 11, 2012 at 2:00
Sign up to request clarification or add additional context in comments.

2 Comments

I've seen on other posts that the referer is unreliable. Is this true?
Yes, some web browsers will omit the header entirely. But you don't need 100% reliability, just enough to make it not worth stealing your widget ;)

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.