If i have a php generated widget canvas and site's using the widget iframe it with $_GET parameters, is there anyway to get the domain that's making the request to my canvas page (javascript/php?)?
ie - stop people using my widget that don't have permission...
You can't reliably protect your content without coming up with a password-based system (or something else like that, involving the client presenting some secure credentials). The "REFERER" header is unreliable, but fairly useful if you're not trying to use it for security purposes.
"Referer" shows up as a request header, with that odd spelling. It provides the URL of the page from which the GET request was generated. It's not secure because it's completely under control of the client browser. It may be missing, or it may contain bogus data.