1

I have a jQuery script in a clientDomain.com/show.php page that shows some data loaded from a serverDomain.com/echo.php page using jQuery.getJSON(). I want that only allowed domains can show the data because I don't want that unauthorized people install the script in their own website without my permission. Is there any way to restrict the response of a jQuery.getJSON() only to certain domains? The solution should prevent also the use of iframe by the client. In conclusion, the data should be seen only if someone visit directly serverDomain.com/echo.php page or one of the allowed client domains. Thanks in advance for the support!

My request/response script works like the first example in jQuery.getJSON() | jQuery API Documentation

I can only code the client jQuery script (that will be ditribuited to the allowed domains) and the serverDomain.com/echo.php page (that is my property).

AlexWebLab
  • 846
  • 3
  • 15
  • 29

1 Answers1

2

Don't do that. Use auth tokens instead that are updated regularly. Anybody can fake an HTTP referrer.

Here's a good answer on SO which covers resful api authentication: REST API Token-based Authentication

Community
  • 1
  • 1
AlienWebguy
  • 76,997
  • 17
  • 122
  • 145
  • I can only code the client jQuery script (that will be ditribuited to the allowed domains) and the serverDomain.com/echo.php page (that is my property). – AlexWebLab Apr 06 '13 at 22:16
  • Ok then just make a simple array of approved domains, and if document.domain is not in the array, kill the script. It will be easy to bypass for anybody that knows how and wants to, but for level 1 deterrent, it's fine. – AlienWebguy Apr 07 '13 at 00:34
  • Do you think it's better using this array of approved domains or the HTTP referrer as explained here: http://stackoverflow.com/questions/11022275/restricting-access-if-not-coming-from-certain-referers-php ? – AlexWebLab Apr 07 '13 at 01:35
  • Pick your flavor. It's about the same amount of effort to bypass either. My philosophy for things like that is, if there's no clear choice whether to put the code on the server or client, put it on the client. – AlienWebguy Apr 07 '13 at 14:41