[ic] Allowing a particular domain access to content

Peter peter at pajamian.dhs.org
Mon May 24 21:23:36 UTC 2010

On 25/05/10 08:12, Gert van der Spoel wrote:
> I think the problem with this is that the parent/top window location details
> are not accessible via javascript in the iframe.
> www.domain1.com  with iframe to www.domain2.com I believe that domain2.com
> then is not allowed to access the location details.
> But you could perhaps make <iframe src="... " have a scripted part, which
> uses the parent location (so generated on the side of the iframe) .. that
> script could for example generate a code which contains the parent URL and a
> timestamp .. On your side you could decrypt this and check the timestamp to
> be within a certain boundary ... In case someone finds the link it would not
> work anymore of that boundary (bit like Peters suggestion above).
> Sounds like there has to be an easier way :)

Well, if you can get site1 to cooperate that well then what you could do
is this:

You and site1 have a "shared secret" (password or key).  Site1 maintains
a counter, and sends teh value of that counter in a CGI variable.  Site1
also does an MD5 hash of the counter value with the shared secret and
sends the resulting hash to you in another CGI variable.

On your end, you grab the counter value from CGI space, hash it yourself
against the shared secret (which you both know but you don't transmit),
and if the resulting hash is the same as the one that site1 sent you the
request is valid.  You then add the counter value to a db record that
invalidates that value for further use (so someone can't re-use the
counter value and hash value from an old URL).

To keep the database table short you could purge old counter values from
it on occasion and just check that the counter value passed is greater
than the minimum one in the db and does not exist in the db.


More information about the interchange-users mailing list