Block JS from loading on certain domains

Question

I have a web service that works through giving users javascript to embed in their code. Users can also place that code on other sites to make it work there. However I also need to allow users to create a blacklist of sites that the JS should not function on. For example, a competitor or an inappropriate site.

Is there a way to check where our JS files are being loaded from, and block loading or break functionality on a per account basis?

Edit: The javascript loads an iframe on the site, so another solution would be to somehow block certain domains from loading an iframe from our server, or serve different content to that iframe

Edit 2: We're also trying to avoid doing this from with the JS because it could be downloaded and modified to get pass the block

Answer 1

One thing you could do is have the javascript load another javascript file. That you serve from the server at a given url. The trick here is that that url will not go to a file but to a server end point that will return a javascript file. The you have that endpoint check for the routes for that user and decide if it will return the javascript you want to work or an error javascript of some kind.

This blog shows how to do it in php.dynamic-javascript-with-php

Answer 2

Inspecting the url of the page

Yes, the javascript file, when it starts executing, can inspect window.url and see if the url of the main document is ok.

To see where the script was loaded from

It can also go through the dom, looking for the script node which brought in the javascript file itself and see from where the JS was loaded.

However

Anyone can load the javascript into a text editor, then change it to eliminate the tests, then host the modified JS on their own server. Obfuscating or minimizing the JS can slow someone down but obscurity is not security.