views:

36

answers:

1

I want to identify if a PHP script is being called inside an iframe of a different host. I could resort to using Javascript for that, but I'd like to find a JS-free solution first.

Right now I'm using this logic:

If $_SERVER['HTTP_HOST'] is not equal to the host name of $_SERVER['HTTP_REFERER']
And $_SERVER['REDIRECT_STATUS'] is defined
Then the script is being called from inside an iframe on a different host.

I know this is by no means accurate, but it passed all tests so far.
Does somebody know a better solution, an extra condition I could check to be sure of this? Thanks.

SOLVED: Finally, I decided to go with JS. Now the two alternative contents are each inside a <div> and a JS script decides which one to show and which one to hide.

+1  A: 

Does somebody know a better solution

To my knowledge not without JS, no. A referer different from HTTP_HOST could however also mean that the page was reached through a link, and of course both fields can be easily spoofed.

Pekka
About the spoofing, you're totally right, and Javascript is also easily bypassed.And although it's not official, but I noticed that the script inside an iframe has `REDIRECT_STATUS` defined, while when it's not inside an iframe, no matter if it has a referer, there's no `REDIRECT_STATUS` defined. But again, this is pure trial and error, no hard science here.
Petruza
Nope, doesn't always work.
Petruza
@Petruza what exactly do you need this for? Maybe there are other ways to achieve what you want to achieve.
Pekka
The site should display a different header image and html code when it's viewed normally, than when it's viewed inside an iframe on our partner's site. And using javascript would mean having to reload the site, because the site is built based on templates and other processing made at server-side
Petruza
@Petruza I see. I think this is going to be difficult to achieve. What about "soft" options like asking partners to use a special URL like `www.domain.com/iframe/.....` ?
Pekka
Yeah, we thought about that but the problem is that solution qould require to modify a lot of scripts to change the link hrefs to that URL too.
Petruza