Find out the name of domain with iframe php script

Started by sewebservices, Feb 17, 2023, 04:03 AM

Previous topic - Next topic

sewebservicesTopic starter

One challenge in executing a php script in an iframe is that the script resides on one domain, while the iframe exists on another. To ensure that the script runs only if the user's domain exists and is allowed, I need to conduct a domain check.

However, getting the client domain remotely is difficult, as most $_SERVER elements refer to the server on which the script operates. Only HTTP_REFERER seems to offer any information about the client domain, but it is easily substituted.

To carry out the domain check, I can parse the URL from $_SERVER['HTTP_REFERER'] and compare it to an array of allowed client URLs. If the domain matches, the script can execute.

Despite the risks associated with HTTP_REFERER, it remains one of the few effective means for verifying a client's domain in this context.


If a page is displayed in an Iframe and you want to retrieve parent window data (without matching domains), additional code must be implemented on the parent window side. Various methods, such as postMessage or cross-domain AJAX, can facilitate data transfer between the two contexts.

In this case, an HTML node generating an HTTP request can be utilized to obtain the domain. The example code shows how to achieve this using an Image object with the URL encoded in the format of '' followed by the domain of the top document.


To retrieve the necessary information, $_SERVER['HTTP_ORIGIN'] can also be utilized. However, it is important to note that this key is only available during the time when the iframe initiates the page.


While HTTP_REFERER can be used to obtain the referring URL, it is important to note that it is not a reliable or secure method for validating the client's domain. The value of HTTP_REFERER can be easily manipulated or spoofed by the client, making it susceptible to attacks.

A more secure approach would be to pass the client's domain as a parameter to the iframe when embedding it on your website. This way, you can directly fetch and validate the domain on the server-side using PHP. By doing so, you have control over the data and can ensure its integrity.

To implement this approach, when generating the iframe code, include the client's domain as a query parameter in the URL. For example:

<iframe src=""></iframe>

In your PHP script, you can then retrieve the client's domain using the $_GET superglobal array:

$clientDomain = $_GET['client_domain'];

Once you have obtained the client's domain, you can compare it against your array of allowed client URLs and only execute the script if there is a match. Keep in mind that you should still apply additional security measures, such as sanitizing and validating the client's domain input, to mitigate any potential risks.

To further enhance the security of your domain check, you can consider implementing the following measures:

1. Use a whitelist approach: Instead of comparing the client's domain against an array of allowed URLs, consider using a whitelist approach where you explicitly define the allowed domains in your code. This provides better control and reduces the risk of accidentally allowing unauthorized domains.

2. Validate the client's domain format: Before performing any checks, validate the format of the client's domain to ensure it conforms to expected patterns. You can use regular expressions or built-in PHP functions like filter_var() with the FILTER_VALIDATE_DOMAIN filter to validate the domain format.

3. Sanitize the client's domain input: Avoid any potential security vulnerabilities by sanitizing the client's domain input before processing it. This helps prevent injection attacks or unexpected behavior due to special characters or malicious input. Consider using functions like filter_var() with the FILTER_SANITIZE_URL filter or the htmlspecialchars() function to sanitize the input.

4. Implement additional security measures: While checking the client's domain is an important step, it is not the only measure you should rely on for security. Consider using other mechanisms such as authentication, access control, and rate limiting to further protect your application from unauthorized access or abuse.

5. Keep up with security best practices: Stay informed about current security best practices for PHP and web development in general. Regularly update your code, frameworks, and dependencies to ensure you have the latest security patches and improvements.

 Here are some additional considerations and best practices to enhance the security of your domain check:

1. Use HTTPS: Ensure that your entire website, including the iframe source and the page hosting the iframe, is served over HTTPS. This helps protect the integrity and confidentiality of the data transmitted between the client and server.

2. Implement Cross-Origin Resource Sharing (CORS): CORS allows you to define a policy that controls which domains are allowed to make requests to your server. By configuring appropriate CORS headers, you can restrict access to the script's execution only to the domains you specify. This adds an extra layer of security by preventing unauthorized cross-origin requests.

3. Employ a Content Security Policy (CSP): CSP is a mechanism that allows you to define and enforce a set of restrictions on the types of content that can be loaded and executed on your web page. By setting a strict CSP, you can mitigate the risks associated with injection attacks and malicious code execution.

4. Use server-side validation: While client-side checks (such as comparing the domain) can help enhance user experience and reduce unnecessary server requests, it's crucial to perform server-side validation as well. Validate and sanitize all incoming data on the server to ensure its integrity and prevent any vulnerabilities.

5. Implement logging and monitoring: Keep track of all activities related to the domain check and monitor for any unusual or suspicious behavior. Log relevant information, such as requests, IP addresses, and timestamps, to aid in troubleshooting and security investigations.

6. Regularly review and update your code: Continuously review your codebase to identify and address any potential security vulnerabilities. Stay updated with the latest PHP security practices and apply security patches promptly.