I have a page called test2.php that is loaded into test1.php via iframe.
I would like to implement a whitelist to make sure that test2.php is only accessed via test1.php. I noticed that the parent page URL (test1.php) is passed as the HTTP_REFERER for the child iframe page (test2.php).
This holds true in IE7/8/9 and the versions of Chrome and FF I'm using.
So, in this case, as real security is not a factor, is testing the HTTP_REFERER field reliable to check the parent page's identity? Are there browsers that do not set this header for iframes, or is there an edge case I'm not taking into consideration?
I realize this is not hack-proof, as header spoofing is trivial, but security is not an issue. I simply want to control (more or less) on what pages test2.php is embedded.
Thank you for your time.
You can use JavaScript - at the beginning check if your test2.php file is in iFrame
var isInIframe = (parent !== window);
then you can get & verify parent url
function getParentUrl() {
var isInIframe = (parent !== window),
parentUrl = null;
if (isInIframe) {
parentUrl = document.referrer;
}
return parentUrl;
}