On my client's website there is a 'find address' button on a contact form where people can fill in their postcode and it will send an AJAX request to a PHP script to return street name, town and county.
This PHP script queries a SOAP web service and my client is charged for each postcode lookup that is performed.
I wanted to know if there was any chance somebody could somehow forge the window.location object on their own site and trick my code into running.
Any input would be much appreciated
P.S. I know that I can control access to the script using the HTTP_REFERER request header. I also know that this can be faked or not present at all so would rather not rely on it if possible.