views:

357

answers:

4

Is it as easy as $ENV{'HTTP_REFERER'}? or is there something else that I need to do?

Example: My Site: sample.php

Calling Site w/iFrame: somesite.com

I want sample.php when it loads to be able to use "somesite.com" for input as a variable.

+2  A: 

Hi,

First of all, your page must not depend on the Referer being present nor correct : it is an information that is sent by the browser, and can either :

  • be disabled (some firewall/antivirus remove that information, for instance -- or did sometime ago)
  • or be altered / faked (if you search a bit, there must be some firefox extension that allow you to fake this pretty easily, for instance)


For more informations, see, for instance :

These posts both "agree" with me ^^


Now, you can enventually use it to add some feature ; but you must not rely on it for your website to work ;-)

Pascal MARTIN
I already know that stuff. I am using the site name + public key + private key for some logging I am doing, I just want to know how to get it when the page is called inside an iFrame. Is it the same way or something else? That is my question, which in your rambling, failed to answer.
IPX Ares
Just for completeness: The Firefox addons are "Tamper Data" and "Modify Headers".
J. Random Coder
+4  A: 

There is no difference between an inline frame and a normal page. And loading an inline frame initially with src will send the HTTP referer.

Gumbo
A: 

As Pascal MARTIN mentioned, you shouldn't trust the Referer value absolutely.

Expanding on Gumbo's answer: since the Referer is transmitted as a header within an HTTP Request retrieving it within a script loaded in an <iframe> is exactly the same as retrieving it for any other script.

When the browser requests the page specified by the src attribute in the <iframe> it will submit an HTTP request like that for any other resource and will include the Referer header value.

The value of the Referer header will contain the URL of the page hosting the <iframe>. So if you had a PHP script named page-with-iframe.php and it contained <iframe src="sample.php" /> the HTTP request for sample.php might look something like:

GET /sample.php HTTP/1.1
Host: somesite.com
...
Referer: http://somesite.com/page-with-iframe.php

In sample.php you would use $ENV{'HTTP_REFERER'} to retrieve the value and from there you can parse out the hotname somesite.com.

dariom
+1  A: 

For a truly reliable way to access the parent URL, you can add a GET parameter to the iframe src containing the parent URL when you embed it. You can use Javascript to add this automatically along with the embed.

Here's an example that embeds the iframe at the end of the <body> tag:

var iframe = document.createElement('iframe');
iframe.src = '/sample.php?parent=' + window.location;
document.body.appendChild(iframe);

You can then access the parent URL reliably from PHP with:

$parent_url = $_GET['parent'];
James Wheare