

Ask YC: Help on authorization for iframe embedding - y78

Hi All,<p>Does anybody have tips on how to allow only authorized websites to embed a web page I control into their website. My first thought was to use the HTTP_REFERRER, but thats not reliable.<p>My second thought was to create an algorithm that only the authentic website and my website knows. The authentic website would send through a hash of the result of the algorithm, which my page checks. This could be something like a mixture of the day, month, year and hour of the request, multiplied and summed in different ways, concatenated with a password/pin number.<p>I'm not great at Math, so don't have much of an idea if this would be secure or not. But to my untrained eye, it seems it would be more than enough to stop script-kiddies from just copying the source of a page .. but how much would it slow down someone more experienced and persistent?<p>Any thoughts?
======
olefoo
What is the cost of failure in your scenario?

Are people going to be able to make serious money off of cheating you, or are
you going to get a few misimpressions from buggy browsers?

If the cost and risk are low, then HTTP_REFERER is good enough.

If not, then you are going to get very friendly w/ javascript and
authentication of untrusted requests.

