Need a referrer for AJAX?
Jamie Johnson
October 11, 2017
This past summer, it came to my attention that someone was screen-scraping script from a public webpage, which pulled in data via AJAX, and that individual set it up as an "app" and charged for it. The problem was it was a page for which I wrote the code.
I decided I needed an HTTP_REFERER (Yes, it is REFERER, not REFERRER) for that. However, that is typically obtained via a click event. I didn't want users of that page to have to click to get the data. I wanted the live data to just show up when they hit the page. That's the beauty of AJAX is it not?
So, I wondered, "What if you want your AJAX call to only be called from a certain webpage? How would that work with an AJAX call?" Well, I came up with a solution, which shutdown that "app" this past summer. I simply put the AJAX in a server-side script (such as ASP, PHP, CGI, Perl, etc.), which checks the HTTP_REFERER. Then on the webpage, I sourced the server-side script via an iframe on the webpage like this:
<iframe frameborder="0" height="480" scrolling="no" src="myserversidescript.ext" width="240"></iframe>
In the server-side script, I did something like this (Perl shown by example):
my $refr = $ENV{'HTTP_REFERER'};
if(($refr eq 'http://somewebserver.com/somepage.html')){
# write the print/echo/rendering of the markup and AJAX here
}
And I added some additional security measures for fun. ;)
Now you can restrict an AJAX call to a website.