开发者

what is other option for HTTP_REFERER in php?

开发者 https://www.devze.com 2023-01-01 12:55 出处:网络
I want to know is there any option/work sround for $_SERVER[\'HTTP_REFERER\']. Because \'HTTP_REFERER\' can not be trusted.

I want to know is there any option/work sround for $_SERVER['HTTP_REFERER']. Because 'HTTP_REFERER' can not be trusted. Then What is other way to know that from which url the request has came from?.

Here is the situation - ht开发者_Go百科tp:// abc.com/one.htmlwill have an iframe having src=http:// xyz.com/giv.php?param=1. How giv.php on xyz.com will know that request is coming from http:// abc.com/one.html?


Sorry, there is no other way. Welcome to the Internet


This looks like it might be an X-Y problem.

If X is

How can I stop unauthorized websites framing my content and presenting it to their unsuspecting users?

Then the referer is "good enough".

For the referer to be forged, the user has to participate. The unauthorised website can't tell the user's browser to send a false referer.


If you really want trust, then:

  • All communication between the servers and the browser needs to be done over HTTPs
  • abc.com needs to request a unique identifier token from xyz.com (possibly with the client IP address included in the message, but be aware that some clients cycle IP addresses)
  • That token needs to be included in the xyz.com URL of the iframe (e.g. in the query string) so that the server can authenticate it

Even then, the token can be leaked by the user (either intentionally or through malware installed on their system).

0

精彩评论

暂无评论...
验证码 换一张
取 消