0

I have a problem to block files from accessing from different domains as my one.

I have added to my lighty config in the "virual host" following:

$HTTP["referer"] !~ "^($|http://www\.my-site\.net)" {
    url.access-deny = ( "" )
}

but anyway the site www.example.com can access http://player.my-site.net/player.swf, also it can be accessed directly without a referrer.

any idea?

//EDIT

here is my old apache .htaccess with a rewrite rule thats works perfect, but i dont know how to convert it for lighty:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://my-site\.net/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www\.my-site\.net/ [NC]
RewriteCond %{HTTP_REFERER} !^http://player\.my-site\.net/ [NC]
RewriteCond %{HTTP_REFERER} !^http://stream\.my-site\.net/ [NC]
RewriteRule .* - [L,R=404]
Chris
  • 113
  • 1
  • 5

1 Answers1

0

I think you're misunderstanding how browsers behave in the presence of hotlinked resources. Consider the following two scenarios:

  1. A user loads up example.com, which has hotlinked to a Flash resource on my-site.net. The user's browser makes two separate requests – one to example.com to retrieve the page, and one to my-site.net to retrieve the hotlinked resource.

  2. A user loads up my-site.net, which has linked to a Flash resource on my-site.net. The user's browser makes two separate requests – one to my-site.net to retrieve the page, and one to my-site.net to retrieve the hotlinked resource.

From my-site.net's perspective, the second request in scenario 1 could be identical to that in scenario 2. They both come from the user's browser, and they both request the same resource. Often, browsers will send a Referer header, but they are absolutely not required to do so. Hotlink prevention based on the Referer header, while generally functional, is not foolproof.

If hotlink prevention is really, really important to you, you should consider a script-based solution – search for "hotlink prevention" on your favorite search engine, and I guarantee you'll find a whole bunch of them.

Benjamin Barenblat
  • 208
  • 1
  • 6