A much like yours question was asked in StackOverflow in English. An answer , which I will translate (since we are in the Portuguese OS) in a free way below, is particularly complete, in my opinion, and brings the most useful considerations to your problem.
Whereas the client (user's browser) can send any
thing he wants, I'd say there's no way to be sure which
site your script is called:
- Since you want to know the URL of the website that embeds your widget, not the user's address,
$_SERVER['REMOTE_HOST']
will not help
-
$_SERVER['HTTP_REFERER']
may seem OK, but in fact it is not:
- Client does not have to send [ HTTP_REFERER ] and does not always do so
- As it is sent by the customer, it can be forged / counterfeited with ease
So, I would say that there is no real solution to this problem, for the
least on the server side (if I'm wrong, I'm interested in
know!)
But maybe you can do something on the client side: while
I was writing all this, I thought about Google Maps and its API system
Key:
- you have a (unique) API key for your domain
- When you load Google JS scripts, you submit this key
- If the key is not registered for the domain from which you are trying to view the map, there is a
alert
message, saying " o
Google Maps API server rejected your request. This can be
because the API key used on this site is registered for a site
different. "
- but the map seems to be displayed anyway - at least on my test server
- This
alert
is really annoying to the end user , and I do not think anyone would like a message to be displayed on your site
because they are using the service without authorization ...
Maybe you can take a look at how this is done on Google Maps
: -)