httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] Apache 1.3.27 mod_rewrite question
Date Mon, 06 Jan 2003 21:44:52 GMT
On Mon, 6 Jan 2003, Troy G. wrote:
> working fine.  Any static images behind
> the protected url works fine.  Now the problem starts here with trying to
> stream content.  I have some Windows
> media files in the same directory as the static jpg's.  When an authorized
> host tries to view this stream, windows
> media player says that the file is corrupt and cannot be viewed.

Some apps don't send referer headers.  That's life.  It means that you
can't trust the referer header restriction as a 100% reliable form of
access control.  It also means that you should ALWAYS add a rule that
allows clients through if the referer header is empty.  The consequences
of allowing through clients that send no referer are:

1. People can type the URL in directly and get to the content.

2. Some clients (eg. steaming media clients) will not be restricted at

Number 1 is not very important, because you are trying to restrict other
websites from linking, not users themselves.  Number 2 could be a problem,
but is rather unavoidable given the underlying technology.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message