Home/ Questions/Q 6763801
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T14:31:10+00:00

In a CMS app I occasionally need to open an iframe of another domain.

  • 0

In a CMS app I occasionally need to open an iframe of another domain. At the moment I am setting the URL for that iframe to something very obscure. Like http://domain.com/iframe/jhghjg34787386/. This works but theoretically that iframe source url will get saved in the user’s history and could be accessed from the outside world.

So, I am wondering about using a time-based approach to an ever-changing hash or string that is processed on the request side and is checked on the iframe source side. However I would like it to be time based.

I could do this to get my hash:

<?php 

   $seed = '123456789'; // a password that both the parent and source have
   $string = md5(time().$seed); 
?>

But then the two servers have to be exactly synced. Any way to make the time constraint more fuzzy?

I am also open to other approaches. Is there any way to validate that the parent window for an iframe is of a certain domain?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could add a key to your hash and send the timestamp with the query, e.g.:

    $key = "YOUR_SECRET_KEY";
$time = time();
$hash = hash_hmac('sha256', $time, $key);
$url = "https://example.com/iframe?hash=$hash&time=$time";

    On the other side you should first check if the timestamp is in the limits (e.g. not older than five minutes) and than rehash with the key and the submitted timestamp. If you get the same hash the request is valid.

    Notes:

    • don’t use MD5: the algorithm is completely broken and doesn’t provide any security anymore (although it’s supposed to still be ok when used with an HMAC…)
    • you should use hash_equals for comparing hashes to prevent timing attacks
    • we use an HMAC to guarantee data integrity and authentication. See https://crypto.stackexchange.com/questions/1070/why-is-hkx-not-a-secure-mac-construction for why we mustn’t just concatenate time & key
    • 0