Databases
StackOverflow2013
Postsdbo
POHow to restrict access to a resource based on domain
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to restrict access to a resource based on domain
    primarykey
    data
    text
    <p>I've got a theoretical problem I'd like to solve. Imagine I want to reference an external resource from within an HTML document. However, I want the behaviour when following the link to vary depending on the domain of the referring page (the page with the link).</p> <p>e.g.</p> <p>A page hosted at <a href="http://somedummydomain.com/mypage.html" rel="nofollow">http://somedummydomain.com/mypage.html</a> contains a link to a resource <a href="http://someotherdummydomain.com/mydoc.pdf?key=123456789" rel="nofollow">http://someotherdummydomain.com/mydoc.pdf?key=123456789</a>.</p> <p>When a user clicks on the link to mydoc.pdf, I would only like mydoc.pdf to be returned (200 OK) if the referrer is somedummydomain.com - if it's any other domain then return 401 NOT AUTHORIZED. The significance of the key in the query params is that the application serving mydoc.pdf will, internally, have associated that key with the somedummydomain.com domain, thus stipulating that the resource can only be accessed via that domain.</p> <p>Obviously I could check the referrer, but it's trivial to spoof the referrer in the HTTP headers so, were I genuinely trying to lock something down, the referrer header is not going to be satisfactory.</p> <p>I'm kind of assuming that JavaScript would have to come into play in some way? I'm judging that based on things like the Google Analytics JS code that will only accept events occurring on a page hosted at a pre-registered domain.</p> <p>Does anyone know how this type of behaviour could be achieved? </p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USDrewEaster
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. POHow to restrict access to a resource based on domain
      1. This table or related slice is empty.
      1. VTUpMod
    1. COJavaScript won't help. The secure way to do this is to have the other sites request your resource via a proxy on their side, such that they must pass you a secure token as part of the request. The other site can't do that purely from the client because everything in the client is visible to the user at the browser.
      singulars
      1. POHow to restrict access to a resource based on domain
      1. USPointy
    2. COThanks for your answer. I was hoping this wasn't the only solution! I am wondering, though, how does Google Analytics prevent people spamming other people's analytics data?
      singulars
      1. POHow to restrict access to a resource based on domain
      1. USDrewEaster
    3. CO[See this old question on that very topic.](http://stackoverflow.com/questions/2418609/how-does-google-analytics-prevent-traffic-spoofing)
      singulars
      1. POHow to restrict access to a resource based on domain
      1. USPointy
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload