On my client's website there is a 'find address' button on a contact form where people can fill in their postcode and it will send an AJAX request to a PHP script to return street name, town and county.

This PHP script queries a SOAP web service and my client is charged for each postcode lookup that is performed.

It would be trivial for someone with a basic knowledge of development to hotlink my JavaScript file and start using my client's postcode search functionality free of charge, while costing my client money.

With this in mind I've written my JavaScript like this:

Code JavaScript:
(function() {
 
    if('www.mydomain.com' == window.location.hostname) {
 
        myButton.onclick = function() {
            doAjaxyStuff('myPostcodeScript.php');
        };
 
    }
 
})();

I wanted to know if there was any chance somebody could somehow forge the window.location object on their own site and trick my code into running.

Any input would be much appreciated

P.S. I know that I can control access to the script using the HTTP_REFERER request header. I also know that this can be faked or not present at all so would rather not rely on it if possible.