0

Hello!I have an problem may be someone can help me about it,I put in folder swf-s and i am protecting them with htaccess. I give access some websites,my problem is to block some urls who are geting iframe embed from website have access.Is possible to block swf players dont appeard in their iframe website?Thank you in advance

2
Contributors
3
Replies
18
Views
2 Years
Discussion Span
Last Post by cereal
0

Hi,

I haven't tested this but I think you could use mod_actions with X-Frame-Options SAMEORIGIN, this header is used to define if an external website can include your pages through an iframe. It has three statements:

The third option would be perfect for you but is not supported by all browsers. The actions module instead allows you to run a script when a defined type of file is requested, so, in your case a SWF file. The idea is to check if the referrer is in the whitelist array. If the condition is satisfied we simply set an environment variable (readable by Apache) and block the setting of the X-Frame-Options header.

So, set these lines in the .htaccess file:

Actions application/x-shockwave-flash /cgi-bin/swf.cgi
Header append X-FRAME-OPTIONS SAMEORIGIN env=!SWF_ALLOWED

And, as example of the swf.cgi script, write:

#!/usr/bin/env php
echo "Content-type: text/html\n\n";

$whitelist = array(
    'domainA.tld',
    'domainB.tld',
);

$ref = get_env('HTTP_REFERER');

if($ref && in_array($ref, $whitelist)) 
    apache_setenv("SWF_ALLOWED", "TRUE");

More information here:

Edited by cereal

0

Thank you for your answer,but is getting error in htaccess. In cgi when can i put websites allowed here?
'domainA.tld','domainB.tld',

Edited by arjani10: answer

0

For troubleshooting errors about the script & .htaccess check the Apache documentation, here's the link:

In cgi when can i put websites allowed here?

The content of the whitelist array can be hardcoded (as in my example) or dynamic: let say you use memcached to save the list (through an update script) in RAM and pull it at request or, instead of memcached, you could use a database connection. It's up to you.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.