The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

gambler (1) [Avatar] Offline
#1
Hello,
Thanks a lot for a great job.

I have one question.

Lets say we need to allow only certain domains place our 3-rd party widget in their web site. Website owners need to register their domain in widget's home site.
How this can be done in secure way? as HTTP_REFERER can be changed ,I think it should be done via some JavaScript trick.
Is there a secure way to do it?
benvinegar (68) [Avatar] Offline
#2
Re: Domain validation where widget is placed.
So, yes, a user can change their referrer. But most don't. And for those users that do, they usually just kill the referrer altogether (don't send it). What's more important is that only the browser user can modify their referrer header – not a website.

This means what you can do is verify the referrer when it is present, and ignore it otherwise.

Sure, a malicious user can change their referrer to point to something else – you can never stop that – but the point is that you prevent the 99% case. I think this is effective in ensuring your widget can only be placed on a specific domain. Otherwise it will be broken for the vast majority of visitors.