Server headers, referrers, etc

I have a script, called javascript.php, witch I include in my SCRIPT tag in my html, like this:

<script type="text/javascript" src="javascript.php"></script>

What I would like to know, is it possib开发者_StackOverflow中文版le under the javascript.php to check if someone directly accessed it, like:

http://myhost.com/javascript.php

And if someone included it in his HTML?

More precisely: Is there a header witch server recieves from the client if he requested it directly via URL, or via the SCRIPT request under the HTML sources?

No, there won't be anything guaranteed with that.

Simple solution which MAY decrease "silly" attempts to include your script:

if(!empty($_SERVER['HTTP_REFERRER'])){
    $parts = parse_url($_SERVER['HTTP_REFERRER']);
    $allowed_hosts = array('example.com');

    if(!in_array($parts['host'], $allowed_hosts)) {
        exit;
    }
}

As guys mentioned above, referrer header could be manipulated easyly. If you want really prevent this issue, you can add to the script path some GET-parameters which are generated using simple rule, and then check them. For example:

index.php

$c1 = rand();
$c2 = md5($c1.'HAHA');
$codes = '?c1='.$c1.'&c2='.$c2;
...
<script type="text/javascript" src="javascript.php<?php echo $codes; ?>"></script>

script.php

if(!isset($_GET['c1']) || !isset($_GET['c2']) || md5($_GET['c1'].'HAHA') != $_GET['c2']) {
    exit;
}
...

The lack of this solution is that your JS-file will not be cached by browser, because it will called with different parameters everytime.

$_SERVER['HTTP_REFERER']

but this sent from user agent which mean they can send anything they would like to