-1

I have a content.php file on my server that I need to load in an iframe on another page mask.php. This works just fine but I do not want content.php to be reachable at mydomain.com/content.php, only at mydomain.com/mask.php via iframe.

Is there a way to restrict the access to content.php to only via iframe on same server? PHP or HTTP?

I read about restricting the referrer of content.php, so that it has to be mask.php for it to load but it doesn't seam to work. I can imagine that it should be doable with PHP.

Dharman
  • 30,962
  • 25
  • 85
  • 135
jparty
  • 68
  • 8
  • You can use the referer, but it won't always work, and can easily be spoofed. So the server strictly doesn't know whether a page was loaded from within an iframe or not, and you can't really solve this problem 100% waterproof. btw, "PHP or HTTP" doesn't make sense. The first is a programming language, the second a communication protocol. It's not one or the other, but probably both. Lastly, "Doesn't seem to work" doensn't tell us anything. The question is missing your code and a more detailed description, and for that reason I vote to close. – GolezTrol Jan 29 '18 at 23:44
  • What you ask is not possible in a reliable or "secure" way since it is against the idea behind publishing things. A request to a published resource is either accepted and replied to or it is denied and blocked. Why should it be relevant _how_ that request is send, from what element? – arkascha Jan 29 '18 at 23:45
  • Maybe it could be done at the browser's side with javascript. First setting a variable on the mask.php file and then checking within content.php if the variable matches. In this way, if content.php is not loaded in the same tab as mask.php the variable wont be set, so wont match and then → do not load. But if content.php is loaded in the same tab as mask.php the variable will be set and it would match, so → load. Is this possible? I am not an expert and maybe the browser reads the iframe as a separate document, thus there will be no variable to match... – jparty Feb 02 '18 at 19:54

1 Answers1

0

mask.php

<?php
if($_SERVER['REQUEST_URI']==='/mask.php' && $_SERVER['SCRIPT_NAME']==='/mask.php')
{
include("content.php");
}
?>

content.php

<?php

if($_SERVER['REQUEST_URI']==='/content.php' && $_SERVER['SCRIPT_NAME']==='/content.php')
{
die('No Access');
}
elseif($_SERVER['REQUEST_URI']==='/mask.php' && $_SERVER['SCRIPT_NAME']==='/mask.php')

{

echo 'hello';

}

?>
xkrv
  • 19
  • 2
  • That doesn't work. `REQUEST_URI` and `SCRIPT_NAME` always reflect the URI of the resource being requested, not of the top-level frame that triggered the request. –  Jan 30 '18 at 00:09