gambler (1) [Avatar] Offline
#1
Hello,
Thanks a lot for a great job.

I have one question.

Lets say we need to allow only certain domains place our 3-rd party widget in their web site. Website owners need to register their domain in widget's home site.
How this can be done in secure way? as HTTP_REFERER can be changed ,I think it should be done via some JavaScript trick.
Is there a secure way to do it?
benvinegar (68) [Avatar] Offline
#2
Re: Domain validation where widget is placed.
So, yes, a user can change their referrer. But most don't. And for those users that do, they usually just kill the referrer altogether (don't send it). What's more important is that only the browser user can modify their referrer header – not a website.

This means what you can do is verify the referrer when it is present, and ignore it otherwise.

Sure, a malicious user can change their referrer to point to something else – you can never stop that – but the point is that you prevent the 99% case. I think this is effective in ensuring your widget can only be placed on a specific domain. Otherwise it will be broken for the vast majority of visitors.