In the page that might be used as a popup...

<script type="text/javascript"> 
<!-- 
var loc = null; 
if (window.opener) { 
  loc = window.opener.location.href; 
} 
if (loc.search(/badguys\.com/i) > -1) { 
  self.close(); 
} 
//--> 
</script>

Or reverse the logic...

... 
if ((loc) && (loc.search(/yoursite\.com/i) == -1)) { 
  self.close(); 
} 
...

Or you could also make it generic...

... 
if (window.opener) { 
  self.close(); 
} 
...

Jordan

Thats works when I launch the page from the desktop, but once I published it to the web, it doesn't seem to do the trick.

See [camaro.com...]

In this test, camaro.com is the "bad guy" trying to pop-up the page at [rpmworld.com...]

Using the reverse logic you described, the pop up should only allow a window.opener from the rpmworld.com domain, but it works anyway. Did I do something wrong?

Since I will only know the good sites and not the bad guys, I have to filter out everything but my own domain. I also want to be sure the page appears in a pop-up window at my site, so if there is no window.opener value the page should redirect (because someone is hard linking to it, and we don't want that).

Doh, I just realized that there is an XSSS (Cross-Site Script Security) issue here...since window.opener is from a different domain you can't directly check it's location.href object in an unsigned script (which is why it only worked locally), so testme.html throws an exception...

Error: uncaught exception: Permission denied to get property Location.href

But...since you only want to check that the site is in the same domain as your (i.e., is a good site), you can use this behavior to your advantage...

<script type="text/javascript">  
<!--  
var loc = null;  
try { 
  if (window.opener) {  
   loc = window.opener.location.href;  
  }  
  if ((loc) && (loc.search(/rpmworld\.com/i) == -1)) { 
   self.close();   
  }  
}  
catch(e) { 
  if(e.indexOf("Permission denied to get property") > -1) { 
   self.close(); 
  } 
} 
//-->  
</script>

You should (theoretically) only reach the exception if the site that opened the window is from a different domain -- in which case the exception is silently caught and the the window is closed.

I think that will work.

Jordan

That sure sounded right, but I modified the code accordingly, and it doesn't work.

It now works in Mozilla, and Opera, but not IE...lol. I forgot that when IE catch()'s an exception it doesn't return the exception description, it only returns the exception object...so the indexOf() condition in the catch block will always be false for IE.

The way the script is set up, it shouldn't be catching any other errors, so it should be safe to change the catch block to...

catch(e) {  
  self.close();  
}

...and just cut out the check...this way it should work in IE as well. At least, I think so...but of course, no guarentees, lol. :)

Jordan

Thank you for sticking with it and solving that one Jordan, I really appreciate it!

I added one more line to your code that stops hard linking as well. I don't know if this is good Javascript coding or not, but it seems to do the trick:

<script type="text/javascript">
<!--
var loc = null;
try {
if (window.opener) {
loc = window.opener.location.href;
}
if ((loc) && (loc.search(/rpmworld\.com/i) == -1)) {
self.close();
}
if (loc == null){
if(document.referrer.indexOf("http://www.rpmworld.com")==-1) location = 'index.html';
}
}
catch(e) {
self.close();
}
//-->
</script>

Glad it got working. :)

Also, you'll have for pardon my rudeness, I don't know where my manners went! Welcome to WebmasterWorld!

The script looks fine, but it can be optimized a bit further and cleaned up a bit (not that there was anything wrong with your formatting, I'm just a symmetry-freak...everything has to match or I'll break out in a cold sweat ;p ).

<script type="text/javascript"> 
<!-- 
var loc = null; 
  
try { 
  if (window.opener) { 
   // only need to catch this assignment's failure 
   loc = window.opener.location.href; 
  } 
} 
catch() {  
  // assignment failed; assuming cross-domain popup 
  self.close(); 
} 
  
if (loc) { // assignment worked, loc is not null 
  // assuming same-domain popup, do nothing, clean up 
  delete loc; 
} 
  
// check if it's a cross-domain reference 
if (document.referrer.search(/rpmworld\.com/i) == -1) { 
  // ...if so, only give it the front page 
  window.location.href = 'http://rpmworld.com/index.html'; 
} 
  
//--> 
</script>

Couple points of explanation:

The indexOf() method looks for a string as a substring of another string -- it returns the position in the search string of the substring, or -1 if it's not found.

The search() method looks for a Regular Expression (RegExp) pattern in a string using an internal RegExp match operation -- it returns the position in the search string of the RegExp pattern match, or -1 if it's not found.

A 'literal' RegExp pattern is delimited by // and the pattern goes between with any operators after (operators are i for case insensative and g for global), any special chars should be escaped (\). So the RegExp '/rpmworld\.com/i', matches 'rpmworld.com', case insensatively.

Happy coding. :)

Jordan

That looks real nice, thanks for the extra effort.