CODEWITHSUNDEEP
c#javascriptasp.net
Himberjack
Himberjack

Reputation: 5802

How to prevent script loading in different domain

I have <script src="bla"></script> that can be loaded in several domains. I want to know if there is a way to control the domains it will be loaded on. To clarify: My script is server-side rendered, so basically I can return empty string if the requested domain is invalid.

This is to prevent from other sites embedding my script.

Thanks!

Upvotes: 1

Views: 618

Answers (4)

tonwayer
tonwayer

Reputation: 532

I think the Content-Security-Policy header would be a help in this case. You can set this header using the <meta> tag.

<meta http-equiv="Content-Security-Policy" content="default-src 'self';">

You can learn about CSP in more detail here.

Upvotes: 0

kennebec
kennebec

Reputation: 104800

You can use the same mechanism used to prevent hotlinking images- mod_rewrite on apache, or an isapi filter on iis, for example

Either drop the request if it comes from another domain, or send a neutered script.

Upvotes: 0

Lloyd
Lloyd

Reputation: 29668

Can't you just check the domain the request is coming on?

See http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.host.aspx, you can get it via HttpContext.Current.Request.

An example:

if (HttpContext.Current.Request.Host.Containts("fred.com")) {
   return; // Or you could do a Response.Write and Flush
}

You can also embed the script code into a closure and simply check at the beginning and return:

(function() {

  if (location.hostname == "....") return;

  ...more code here...

})();

Upvotes: 0

drew
drew

Reputation: 1312

You could check the referrer, but this is set by the user's web browser and is not 100% reliable.

I don't think there is a way to 100% detect which domain has embedded the script.

Upvotes: 2

Related Questions