Prevent hotlinking

Gabriel Ramuglia gabe at vtunnel.com
Mon Apr 13 00:01:11 MSD 2009 

Flash has surprisingly little flexibility with determining what
headers are sent to the server when you request files. It does what it
does and if you don't like it, tough. That's the conclusion I came to
in researching to design a couple flash applications, as well as to
lock down video files for a project I was working on.

Sometimes this is for security purposes. You aren't supposed to be
able to request files from a different domain than the SWF was sourced
from (unless a crossdomain.xml file on that domain specifically allows
it). I've noticed that although this is supposed to be a hard and fast
rule, some video players are able to source their video files (.flv)
from sites other than where the SWF was sourced, even if
crossdomain.xml doesn't allow it. This is probably a bug or the result
of some arcane Flash behaviour, rather than something the designer of
the SWF can decide upon.

Either way, you need to be prepared, in flash, for the likelihood that
it will either send the proper referrers, or no referrers whatsoever,
and you really have no control over which will be the case.

On Sun, Apr 12, 2009 at 12:05 PM, Michael Shadle <mike503 at gmail.com> wrote:
> Possibly could be based on the player. I'm sure you can code in the headers.
>
> On Apr 12, 2009, at 12:00 PM, Gabriel Ramuglia <gabe at vtunnel.com> wrote:
>
>> Flash players may or may not send referrers. It seems to vary based on
>> the web browser used. Documentation for flash would lead me to believe
>> that it never sends referrers, but practical experience shows that
>> this is not true, it does sometimes send headers, and sometimes not,
>> in a mostly unpredictable way.
>>
>> On Sun, Apr 12, 2009 at 11:44 AM, Michael Shadle <mike503 at gmail.com>
>> wrote:
>>>
>>> And video embedding is infamous for not sending info. At least windows
>>> media
>>> player type embedding. Not sure if flash players are better.
>>>
>>> On Apr 12, 2009, at 11:35 AM, Gabriel Ramuglia <gabe at vtunnel.com> wrote:
>>>
>>>> Your browser will almost always send referrers. As mentioned,
>>>> sometimes a security suite will block referrers. Sometimes flash won't
>>>> send referrers when it makes requests (sometimes it will). You just
>>>> want to also allow blank referrers in addition to the "correct"
>>>> referrers.
>>>>
>>>> On Sun, Apr 12, 2009 at 10:41 AM, Max <maxbear at gmail.com> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> Thanks. I tried that. But it's still not working. I am using wordpress.
>>>>> Don't know what referrer header wordpress send.
>>>>>
>>>>> Max
>>>>>
>>>>> On Mon, Apr 13, 2009 at 12:40 AM, Michael Shadle <mike503 at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Try
>>>>>>
>>>>>> "valid_referers none blocked *.etc.com etc"
>>>>>>
>>>>>> perhaps you're not sending a referrer header. Some "internet security
>>>>>> suites" do that for "privacy" and I hate them. or malfunctioning
>>>>>> browsers or some browsers include that option now.
>>>>>>
>>>>>> that's the only thing I see wrong there.
>>>>>>
>>>>>> On Sun, Apr 12, 2009 at 8:45 AM, Max <maxbear at gmail.com> wrote:
>>>>>>>
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I tried to use the following code to prevent hotlinking. But it
>>>>>>> blockes
>>>>>>> myself as well, anyone got any idea?
>>>>>>>
>>>>>>> location ~* (\.jpg|\.png|\.css)$ {
>>>>>>>   valid_referers blocked domain.com *.domain.com;
>>>>>>> if ($invalid_referer) {
>>>>>>> return 404;
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> Max
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>

More information about the nginx mailing list