I am developing a web application which will entail cross scripting across domains using an iframe. Essentially web authors will be able to embed code into an iframe on their page, and the browser will retrieve content from my web application and display it in the page. It is sort of like Google Adsense.
I need a way to ensure the parent page holding the iframe was served from the domain that is authorized to access my content. Within my web application I can use the referrer property and this reveals the domain name of the parent site. But this can be tricked simply by changing the host file. Should I instead rely on the ip address? But what if the ip address periodically changes?