Flag in php How to determine CSS / JS was being accessed or called from?

is there any flag in php to determine if my JS / CSS being called from? What I mean is,

To determine if the JS is bein开发者_如何学编程g called from

<script type="text/javascript" src="http://www.example.net/assets/js/jsGeneratedFrom.php"></script>

or from

the user directly hit http://www.example.net/assets/js/jsGeneratedFrom.php from their browser's url address field.

as well as CSS to determine from where is the css was calling from

<link type="text/css" rel="stylesheet" href="http://www.example.net/assets/css/cssGeneratedFrom.php" />

or from

the user directly hit http://www.example.net/assets/css/cssGeneratedFrom.php from their browser's url address field.

because I need to setup a different behavior for those kind of css/js access method

So, is there anyone who has played with this before and has some advice?

Thanks in advance!

AnD

I'd recommend looking at the Accept header of the request. A request from a link tag (for CSS) or script tag (for JS) might have Accept types of text/css and text/javascript (or application/javascript), respectively. A request for the CSS or JS directly will probably have some or all of application/xml, application/xhtml+xml, text/html, or text/plain.

The exact contents of the header will probably be browser-specific, but you may be able to find a consistent pattern. Perhaps use this along with SuperDuck's techniques?

Alternatively, you can add a querystring parameter to the URL in your link tag, to identify the source of the request: <link type="text/css" rel="stylesheet" href="http://www.example.net/assets/css/cssGeneratedFrom.php?from=browser" />. It won't stop false positives, but as SuperDuck said, you'll be sending the data to the browser regardless, so you can't protect your CSS and JS this way.

Ok first, HTTP-Referrer is the only way to see where a file is requested from. And as you see it's not reliable, can be automatically or manually set by the client. Or not set at all, because of the client settings.

Also if your aim is to protect the file contents, note that it's not possible, as in the end you're sending it to the client in a readable form. So even if you include the script on the page source, it will be readable again by taking a look at the page source.

But if what you need is just a little trick for any reason, you can use time frames + hashes. This is normally used to prevent visitors request a page they are not intended to. Like opening every page of a list by changing URL parameters, without clicking on anything.

When the page is requested, you can define a time-frame, say 30 secs, so the visitor may only get the script file in 30 secs after requesting the page. You add the ending time to the script url as a parameter, and add a hash code for the link, so the ending time can't be changed by the user.

Hash code here works as a complex string, or a signature, which depends on the text you want to lock against changes. It's like sending a number along with it's square-root, so if the visitor changes the number (and doesn't know what the other number is intended for) you can see the numbers are modified, as the new number's SR won't match.

Of course you can use more complex algorithms than a square-root, like MD5, which is very hard or impossible to reverse.

So in short; now you have the end date&time in your script URL, and a hash code depends on the URL (or on the end date&time). When you get a request for the script, you can compare it with the real-time to see if the end time has passed and if not, you can check to see if the hash matches the parameter, so the ending time in the URL is not modified by someone. If all is ok, you send the script, and if not, you can send an alternative content.

But again, if your intention is content protection, don't rely on it; there is no way, as someone can just take a look live on the DOM and loaded files to see it.