Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m building a service where customers will include a script on their site. I will bill customers based on their usage of the script (it connects to my server to use the service.), and I also have an iFrame version. Is it safe to check their window.location.host to check that the script was posted on their own website? Customers will have the option to specify multiple domains.
Overall, you shouldn’t, read on.
I believe that if you change
window.locationthen the browser navigates to that page. Therefore, nobody would be able to changewindow.locationin order to trick your script without the browser navigating to the new page.But nothing is stopping anyone from downloading the .js file and editing it to remove your checks. (or like Sime said, they could be using a non-standard browser)
(Confirmed that this happens on Firefox)