Control Javascript page content according to who is requesting

A much like yours question was asked in StackOverflow in English. An answer , which I will translate (since we are in the Portuguese OS) in a free way below, is particularly complete, in my opinion, and brings the most useful considerations to your problem.

  

Whereas the client (user's browser) can send any   thing he wants, I'd say there's no way to be sure which   site your script is called:

     

• Since you want to know the URL of the website that embeds your widget, not the user's address, $_SERVER['REMOTE_HOST'] will not help
  
• $_SERVER['HTTP_REFERER'] may seem OK, but in fact it is not:      
  • Client does not have to send [ HTTP_REFERER ] and does not always do so
    
  • As it is sent by the customer, it can be forged / counterfeited with ease
    
  

So, I would say that there is no real solution to this problem, for the   least on the server side (if I'm wrong, I'm interested in   know!)

     

But maybe you can do something on the client side: while   I was writing all this, I thought about Google Maps and its API system   Key:

     

• you have a (unique) API key for your domain
  
• When you load Google JS scripts, you submit this key
  
• If the key is not registered for the domain from which you are trying to view the map, there is a alert message, saying " o   Google Maps API server rejected your request. This can be   because the API key used on this site is registered for a site   different. "      
  • but the map seems to be displayed anyway - at least on my test server
    
  
• This alert is really annoying to the end user , and I do not think anyone would like a message to be displayed on your site   because they are using the service without authorization ...
  

Maybe you can take a look at how this is done on Google Maps   : -)