I am working on online community where users will have the profile page , where he can upload the image of his choice or give the url of the remote image .
So Is it good to just store the remote image url and not the image itself and use it like this on profile page like this
<img src="remote_image_url">
or download the image from remote url and store it on the local/our server for the later use like this
<img src="path_on_our_server">
i am thinking from the hack-proffing point of view , as are there any issues if i allow users to use remote image and use it as it is instead of downloading it on to our servers ?
You should store the image, loading a remote URL which you don't have control over is always dangerous.
To expand:
A user adds their avatar as www.example.com/pic.jpg. They then notice that you are simply including that URL on your site, so they change their avatar to www.example.com/hack.js and you still include this file so now any JS they add in that file will be ran on their site.
A embedded JS inclusion like this is a hackers dream and is DEFINITELY a HUGE security flaw. If you want to read a bit about a real life example of one of these attacks, ebay was caught out by one last year - http://www.infosecurity-magazine.com/news/ebay-under-fire-after-cross-site/
Think about what risks you are trying to mitigate.
Whether you let users upload images to your site or add links to remote image locations, bad people will do bad things. If you let people upload images to your server, there could be attack vectors against your server (vulnerability in image processing libraries triggered by deliberately malformed images). If you let people add links to remote images, the remote images could be malicious to target browser vulnerabilities (and your site then appears to be hosting malicious images).
If you care about people uploading profile images that are inappropriate then you will need active curation of some kind.
The Gravatar service specializes in hosting profile avatar images and has a Terms of Service squad to "police" avatar content.
http://gravatar.com
By using the user's avatar url in your code you're actually making all your visitors visit that user's site as well. The user will be able to track who looks at the image and when.
This is pretty much how analytic tools works. By requesting a resource from a third party site, the third party can track your users.
Related
I currently would like to send newsletters to all the people of a specific company.
For privacy and security reasons I'm forced to host all the newsletters on their own server, including the images, I can't put that content on a web server.
Because of that, all the URLS and images are network urls e.g
'file://nameOfTheServer.something.cool/newsletters/img.jpg'
However, I'm not on the same network, I send the newsletters from my office.
Because of that, I have the feeling that at the insertion of the emails, Outlook 2010 doesn't find the local urls and modifies it.
'file://nameoftheserver' becomes 'file:///\nameoftheserver', therefore, the image isn't displayed anymore once received by the people.
If I try to send the same e-mail with another e-mail adress, while being on the same network, this works, the urls aren't modified, and are still the same...
Any idea on a way I could solve it ?
Regards,
You have to change the format of URL address, it is very important to properly reference resources to be loaded from a web server, even if it is an intranet. As you mention you're using file:// but for this case you really must use http://, be aware that external links to resources (any that is not attached on same email message) can be blocked (in this case images) by email clients, antivirus software or even the email provider. Because of this, probably, people who read the email will get a warning about external content being loaded, and images won't show properly until the reader confirm to load the images from the external site (even intranet is considered an external one).
Maybe, you're wondering about some emails you received that shows images when opened and no warning is shown, It is because images are not being referenced from external sites, images are included inside email's body as attachment so it is a local reference which is considered "safe".
I'm making a webapp for members of my caving club to search through and view cave survey note PDFs. It works fine, and I got the AppCache working for the web version of it.
However, since the PDFs are quite large and slow to download, and many members have the PDFs on their local machines from the same SVN the website gets them from, it would be ideal for them to be able to use a page with links to a local SVN folder of their choosing.
The design goals:
The site displays links to PDF files on the local filesystem
Whenever I add features to the site, users get them automatically the next time they open the page and they're connected to the internet
But after the first time they open the page, the site works offline.
Sadly web browsers don't appear to support this useful combination of design goals at once.
I can satisfy #1 by having users download a copy of the site, add their local SVN path in a JS, and open their local copy in the browser, so that file:/// links work.
I can satisfy #2 by having absolute links to JS bundles on the server.
I can satisfy #3 by using the AppCache.
I thought I could get clever by having the copy of the page on the local file system have <html manifest="https://myserver.com/myapp.appcache">, but unfortunately Chrome doesn't seem to allow a local file to use an app cache manifest hosted on a server, for seemingly no good reason to me.
Does anyone know of another way I could satisfy all 3 goals?
Perhaps there's some simple program/config I could give my friends that would intercept web requests to https://myserver.com/some/folder and instead serve them out of a folder on their local file system?
Andy,
I know this post is a bit old but came across it looking for something else related to AppCache. My understanding it that the html page and the manifest must reside in the same domain for it to work. So I think you need to modify your design:
Create a JavaScript function that acts as a setting for the user to enter the path to their local copy of the PDF's. Store this information in localstorage.
Create a html template page for the document links.
Create a JavaScript function that populates the html template page with any documents and links the user enters.
This way, the users visit your application online and it uses appcache to store itself and the JS files for offline use. To access the PDF's, the user clicks a settings button that launches a page to collect path information and saves the information in localstorage. The users can then access the template page which will populate with the documents they entered.
Here is a good intro to localstorage: [http://www.smashingmagazine.com/2010/10/local-storage-and-how-to-use-it/]
just I want to know that I am preparing one website regarding videos. I want to upload on my server or third party's server but I do not want to show the path of the video .. Is it possible..?
Not really. The source of the stream will always be known by the client - the client can't receive from a black hole.
Using Flash you could try to hide it, but only from non-technical users. If you're trying to protect the IP of the source, you might look into a proxy solution.
I'm hosting images for client websites. I want them to be able to link to the images locally ie. www.myclient.com/clip1.jpg but have the image actually loaded from www.mysite.com/clip1.jpg. The idea is to provide security/anonyminity so the client doesn't have to reveal that they are using my service (through the images on my site).
Can this be done without editing .htaccess?
Thanks,
skibulk
If you don't want to reveal where the final origin is, then the image has to come from the server that you want it to appear to come from. A redirect will reveal the real origin.
You can proxy the images with with Apache directives, the equivalent for whatever non-Apache server is in use, or a server side script (written in the language of your choice that is supported by the server).
Just copying the images would probably be the most efficient approach though.
I have recently learned how to write HTML pages on a standalone computer, with all the references given to the directories in the local drives.
How, then, can I do the following:
Create a website, using HTML. I know I'll be able to create its look, but I don't know what should be given as the reference address (URL) if there is a hyper link (like: href). So how do I get an address that can be used on the Internet?
How do I upload this file to the Internet, do I have to upload it onto a server? If yes, which?
If there are multiple pages then how do I create references between?
Most importantly if I have to create this site should I use HTML, or something else?
When developing a website you will want to observe the following:
You need to regsiter a domain name that you want people to use to access your site. You can do this using any number of online registrars
You will have to get a web host...again there are many. They will give you instructions to upload using FTP or otherwise
The references between pages on your website will have to use relative addresses. That is /page2.html rather than http://www.myserver.com/page2.html.
You have to use HTML to create the front end. Plus CSS and maybe JavaScript. If you need dynamic content like accessing a database etc then you have to learn server side languages like PHP, ASP.NET or JSP.
To reference pages and resources (images, css, et.c.) you can use either relative paths, virtual paths or absolute paths.
A relative path shows the relation between the items, for example:
An image in the same folder: art.gif
An image in a subfolder: images/art.gif
An image in a parent folder: ../art.gif
An image in a parallel subfolder: ../images/art.gif
A virtual path starts with "/", so it's relative to the root folder of the site:
An image in the root folder: /art.gif
An image in a subfolder: /images/art.gif
An absolute path specifies the complete URL to the resource:
An image in a subfolder: http://www.mysite.com/images/art.gif
To put the pages on the net, you need some kind of hosting. You can start with searching the web for "free hosting" and you will find plenty of sites where you can try this out.
Most free hosting offer a subdomain or subfolder for your site, like mypage.thewebhost.com or www.thewebhost.com/mypage. If you want your own domain like www.mypage.com you need to register it for a fee. Many hosts offer a domain name "for free" when you buy web space, but you will of course end up paying for it in the end as it's included in the fee for the space.
Regardless of how you create the page, it will use HTML in the end. That's what the web is made of. If you use a server side language like ASP.NET or PHP, they still output HTML pages for the browser.
This is a great site if you're just getting started with HTML: http://www.w3schools.com/
I think you are asking about how to publish your site on the web and then access it.
Buy a domain, go to any domain hosting site like godaddy.com etc.
After buying domain the domain hosting company will send you the details of your account/pwd
With you account pwd you can access their ftp server.
Put your current html pages on their ftp server (put them in the public folder)
Access your html pages on the web now.
Also note it will take atleast a few minutes before your domain info gets published on the dns servers, i.e to say it will take a while before you can access your website (usually a few minutes)
Try giving relative urls in the href link. For e.g. if you want to link index.html to page1.html in the same folder you don't need to give complete path of the page1.html for the link. You can simply write Page 1
You can learn more about relative urls from here
You can get a free web hosting account from sites like http://110mb.com , they also provide a free sub-domain and a ftp account.
You need HTML to create webpages. There's no other option.
Hope this helps.
Google is your friend. There's tons of help for web site development. I just recently switiched from HTML to PHP, but I recommend you use HTML until you are fully comfortable with it.