Blocking content with .htaccess prevents it to load even in the allowed domains

Question

I'm trying to block content from loading if it's accessed directly or from an unallowed domain. To do that I'm using a .htaccess. So, my logic is:

• Accessed directly: Empty referer.
• Unallowed domain: Domain of the referer different from the allowed domain.

I also have to block other types of files. jpg|jpeg|gif|png|bmp|zip|ppt|pptx|ai|pdf|doc|xls|xlsx|psd|mov|svg

To give more context, the content (and the following .htaccess) is hosted in a different domain from where I want to be able to load the content. Let's say the content is in x.com and I want to be able to load the content only in example.com

So this is my .htaccess

SetEnvIf Referer "^https://www.example.com/" letitpass
Order Deny,Allow
Deny from all
Allow from env=letitpass

ErrorDocument 403 /403.html

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com/.*$ [NC]
  RewriteRule \.(jpg|jpeg|gif|png|bmp|zip|ppt|pptx|ai|pdf|doc|xls|xlsx|psd|mov|svg)$ - [F,NC,L]
</ifModule>

This works partially as expected. The problem is that some content (like an image) inside a PHP or HTML document isn't loading even in the allowed domain.

This is the result: (screenshot from example.com/a-page/)

1. An image <img src="https://x.com/image.png">. It works as expected. It loads only in example.com

2. An iframe with a .pdf document, <iframe src="https://x.com/file.pdf">. It works as expected. It loads only in example.com

3. An iframe with a .php document. The document has a img (x.com/image.png) and a pdf file (x.com/file.pdf). <iframe src="https://x.com/document.php">. It doesn't work as expected. The page is loading only in the allowed domain and that's fine, but some content like the image isn't loading

Any ideas? Thanks!

Answer 1

add a logical OR into the RewriteCond's exclusion ...in order to permit the embedding for x.com:

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?(example|x).com/.*$ [NC]