Search code examples
javascriptphpwebserver

detect original web site URL in PHP using JS from external server

Let's say we have two web sites https://aa.tld (WS_A) and https://bb.tld (WS_B). And let's say we have a third server https://ss.tld (SS), where some scripts like a small javascript framework are hosted. This small framework provides e.g. spam free email form or sms service to website admin or so.

This JS framework is embedded in WS_A und WS_B with a regular JS link like <script src="https://ss.tld/w/widget.js" type="text/javascript"></script>

On server side (SS) this is translated using htaccess to widget.php, where widget.php acts like and outputs JS using PHP header header('Content-Type: text/javascript; charset=utf-8');

My question is: Is it possible to use PHP on this SS-script to detect the original web site URL like https://aa.tld or https://bb.tld ?

The purpose is I want the script to provide e.g. only email form to WS_A and both email and sms to WS_B. And I don't want to use a JS switch using window.location.href because user could be able to digg into https://ss.tld/w/widget.js and gets information about other web sites using this script, and possibly may compromise the script using browser like MozFF admin tools.

Appreciate your ideas, thanks.

UPDATE regarding answers below to share my experiences

Now I am happy with it.

On Website WS_A: <script src="https://ss.tld/w/856z6gg4" type="text/javascript" crossorigin="anonymous"></script>

In HTACCESS: RewriteRule ^([a-zA-Z0-9-/+]+)$ js.php?key=$1 [L]

Here the SS php script (experimental, working):

<?php
ob_start('ob_gzhandler');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With");
header('Content-Type: text/javascript; charset=utf-8');
    
function servername($url) {
    $res = parse_url($url);
    return $res['host'];
}

$keys = array(
    '856z6gg4'=>'aa.tld'
);

$origin = filter_var ( $_SERVER['HTTP_ORIGIN'], FILTER_SANITIZE_URL);
$referer = filter_var ( $_SERVER['HTTP_REFERER'], FILTER_SANITIZE_URL);
$key = filter_var ( $_GET['key'], FILTER_SANITIZE_STRING);
$fromarray = $keys[$key];

if (array_key_exists($key, $keys)) {
    if (isset ($referer) && $referer != '' && $fromarray == servername($referer) && $fromarray == servername($origin)) {
        echo 'document.writeln ("domain ' . $referer . ' is checked with HTTP_REFERER.<br />");';
    }
    else if ($fromarray == servername($origin)) {
        echo 'document.writeln ("domain ' . $origin . ' is checked with HTTP_ORIGIN.<br />");';
    } else echo 'document.writeln ("domain not allowed.<br />");';
} else echo 'document.writeln ("domain not allowed.<br />");';
    
ob_end_flush();
?>
Solution

  • you could use $_SERVER['HTTP_REFERER']; but there are browsers that don't send this.

    I advise you to put a parameter in serverA and B ex: in serverA

    <script src="https://ss.tld/w/widget.js?host=A" type="text/javascript"></script>

    in serverB

    <script src="https://ss.tld/w/widget.js?host=B" type="text/javascript"></script>