httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Apache 1.3.27 mod_rewrite question
Date Mon, 06 Jan 2003 21:44:52 GMT
On Mon, 6 Jan 2003, Troy G. wrote:
> working fine.  Any static images behind
> the protected url works fine.  Now the problem starts here with trying to
> stream content.  I have some Windows
> media files in the same directory as the static jpg's.  When an authorized
> host tries to view this stream, windows
> media player says that the file is corrupt and cannot be viewed.

Some apps don't send referer headers.  That's life.  It means that you
can't trust the referer header restriction as a 100% reliable form of
access control.  It also means that you should ALWAYS add a rule that
allows clients through if the referer header is empty.  The consequences
of allowing through clients that send no referer are:

1. People can type the URL in directly and get to the content.

2. Some clients (eg. steaming media clients) will not be restricted at
all.

Number 1 is not very important, because you are trying to restrict other
websites from linking, not users themselves.  Number 2 could be a problem,
but is rather unavoidable given the underlying technology.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message