确保json get来自特定域,php(跨域)

Im using getJSON to send data from a domain to another domain.

Here's the example: Domain A (www.a.com) sends data using jQuery getJSON() to Domain B (www.b.com) Domain B contains all the php scripts to parse the data.

For security reasons , i want to make sure the data sender is domain A and not others. I read up a lot of posts and searched , i came across $_SERVER['HTTP_REFERER'] for php. However , i noticed a lot saying this is not the best way and some browsers dosent support it.

Then i came across another saying using cookies and access token which confuses me further. Well i hope someone is able to point me into the right direction.

here's the jquery script im using to send the data over to dmoain B

$.getJSON('b.com/parse.php?data=' + data +'&callback=?', function(data) {
//do something
});

I want to make sure the data sender is domain A and not others

There is no way to reliably detect if a request was trigged by JavaScript running in a page hosted on a particular domain.

using cookies and access token which confuses me further

This is an indirect approach. Essentially the process would work something like this:

  1. One of the two servers generates an access token (along with an expiry time)
  2. It sends that token to the other server
  3. The server hosting the application sends that token to the client
  4. The client makes a request to the server hosting the data and includes that token in the URI
  5. The server hosting the data recognises the token and authorises the client (possibly setting a cookie so that the token persists automatically)

The token can still be extracted from the application, since it has to be given to the client. However, that has to be done by someone with full access to the client, so it can't be done by a third party website that wants to access your data.

Such a website could access the site hosting the application, get an identification token, and then access the site hosting the data. There are ways to defend against this…

If the request to the data site is being made by the server, then it will probably be making an unusually high number of requests from a given ip address. You can rate limit it. (They can then work around this by cycling through different source ips).

If the request is being made by web browsers, then the request for the token will have come from a different IP address to the request for the data. You can lock the token autorisation to a given IP address. This will, however, break for users who access via proxy servers (e.g. quite a lot of mobile users and people using AOL (last time I heard anything about how AOL's servers were configured anyway)).

$_SERVER['HTTP_REFERER'] is better,because its server side.