referer
is as close as you can get before getting into really complicated territory.
While it can be spoofed, it can only be spoofed by the client. A third party website couldn't make the client spoof it.
That said, referer
is optional. Browsers don't have to send it, and they tend not to under quite a lot of circumstances (such as when the referring document was served over HTTPS).
The following might work…
- iframe.example.com uses server side code to request a token from framed.example.net, the request includes the ip address of the browser and a password authorising iframe.example.com to frame framed.example.net
- framed.example.net generates a token and gives it to iframe.example.com, registering it against the ip address of the browser
- iframe.example.com generates a URI with the token in the query string and uses it as the src to the iframe
- framed.example.net checks that the token exists and the ip address in the record matches the ip address the request came from (the browser)
This will generate false negatives when the browser doesn't have a consistent ip address (such as when behind a group of proxy servers, which I seem to recall is quite common in cellular broadband), so I wouldn't recommend it.