Access blob storage files by specific domain. (Prevent hotlinking in Azure Blob Storage)

Hi,

My application deployed on azure, and I managed all my file to blob storage.

When i created container with public permission then it accessible for all anonymous users. When i hit URL of file (blob) from different browser, then i will get that file.

In Our application we have some important file and images that we don't want to expose. When we render HTML page then in <img> tag we define src="{blob file url}" when i mention this then public file are accessible, but same URL i copied and hit to anther browser then still it is visible. My requirement is my application domain only able to access that public file in blob storage.

   

Amazon S3 which provide bucket policy where we define that for specific domain only file will accessible. see http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Restricting Access to a Specific HTTP Referrer



  • Edited by Prasad Phule Monday, February 23, 2015 12:52 PM Title changed
February 12th, 2015 8:40am

Hi Prasad,

You can set the CORS for your blob. I recommend you could refer to this blog:

http://blogs.msdn.com/b/windowsazurestorage/archive/2014/02/03/windows-azure-storage-introducing-cors.aspx

You can create the CORS rule for your blob, such as this formatic:

<CorsRule>
  <AllowedOrigins>http://www.contoso.com, http://www.fabrikam.com</AllowedOrigins>
  <AllowedMethods>PUT,GET</AllowedMethods>
  <AllowedHeaders>x-ms-meta-data*,x-ms-meta-target,x-ms-meta-source</AllowedHeaders>
  <ExposedHeaders>x-ms-meta-*</ExposedHeaders>
  <MaxAgeInSeconds>200</MaxAgeInSeconds>
</CorsRule>

Regards,

Will

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2015 12:52pm

Hi Will,

My question is about "Prevent hotlinking in Azure Blob Storage".

I got this one 

http://stackoverflow.com/questions/13859599/prevent-hotlinking-in-azure-blob-storage?answertab=votes#tab-top

and http://stackoverflow.com/questions/11015947/preventing-cross-linking-to-images-on-azure-blob-storage

So, from this i thing there is no such specific configuration that azure blob provided. now SAS is the answer.

If CORS works for it can you provide me a sample application.

February 23rd, 2015 3:50pm

hi Prasad,

Thanks for your post back.

All of SAS and CORS could work, but not comprehensive.

For your requirement, " My requirement is my application domain only able to access that public file in blob storage.", If you want to stop the other domain site access your blob, you may need set the CORS for your blob. When the origin domain of the request is checked against the domains listed for the AllowedOrigins element. If the origin domain is included in the list, or all domains are allowed with the wildcard character '*', then rules evaluation proceeds. If the origin domain is not included, then the request fails. So other domain didn't access your resource. You also try the Gaurav's blog:

http://gauravmantri.com/2013/12/01/windows-azure-storage-and-cors-lets-have-some-fun/

If you access CROS resource, you also need use SAS authenticated.

However SAS means that you can grant a client limited permissions to your blobs, queues, or tables for a specified period of time and with a specified set of permissions, without having to share your account access keys. The SAS is a URI that encompasses in its query parameters all of the information necessary for authenticated access to a storage resource (http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/ ).  So if your SAS URI is available and not expired this URI could be used to other domain site. I think you can try to test it.

If I misunderstood, please let me know.

Regards,

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 5:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics