1

I have <script src="bla"></script> that can be loaded in several domains. I want to know if there is a way to control the domains it will be loaded on. To clarify: My script is server-side rendered, so basically I can return empty string if the requested domain is invalid.

This is to prevent from other sites embedding my script.

Thanks!

Improve this question

4 Answers 4

Reset to default
2

You could check the referrer, but this is set by the user's web browser and is not 100% reliable.

I don't think there is a way to 100% detect which domain has embedded the script.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I can't think of one either. Checking the request headers is probably the best you can do. You can also check for things besides the referrer, like user-defined key/values.
0

Can't you just check the domain the request is coming on?

See http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.host.aspx, you can get it via HttpContext.Current.Request.

An example:

if (HttpContext.Current.Request.Host.Containts("fred.com")) {
   return; // Or you could do a Response.Write and Flush
}

You can also embed the script code into a closure and simply check at the beginning and return:

(function() {

  if (location.hostname == "....") return;

  ...more code here...

})();
Improve this answer

2 Comments

JS is not an option, since it can be hacked quite easily.
You didn't mention that in the question. Check the Host property of the request .NET side - msdn.microsoft.com/en-us/library/…, you can get the HttpWebRequest using HttpContext.Current.Request.
0

You can use the same mechanism used to prevent hotlinking images- mod_rewrite on apache, or an isapi filter on iis, for example

Either drop the request if it comes from another domain, or send a neutered script.

Improve this answer

Comments

0

I think the Content-Security-Policy header would be a help in this case. You can set this header using the <meta> tag.

<meta http-equiv="Content-Security-Policy" content="default-src 'self';">

You can learn about CSP in more detail here.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.