locked
Preventing cross-linking of stored assets RRS feed

  • Question

  • I've heard some recommendations to use blob storage for static content (html, images, swf files etc) but what prevents people from cross-linking these resources into their own sites?  And if they are prevented how could I enable them for select resources (say I want an image to be share-able on Facebook).
    Thursday, May 31, 2012 10:48 PM

Answers

  • unless you'd implement some form of authorization, there is barely anything preventing users from doing this - like with any other content hosting.

    With Azure Storage you can use Shared Access Signatures to manage permissions to blob storage, where you in particular can manage resource permission and lifetime. You'll need some code e.g. in your web application which creates SAS such as specific for a user and correlated session.

    However anyone gaining access to the URL (which includes the access signature) will have access to the resource, so you need to limit the lifetime to an amount suiting your situation, and for the items which should be shareable you can just set a longer lifetime.

    Friday, June 1, 2012 6:06 AM
  • Hi Tobin - to build on perpetualKid's response:

    1) A blob container can be made either public or private.  If it is public, it is read-able by any client with the URL.  Write/Delete/List operations all still require the account's key.  If it is private, then even read access requires the key.

    2) To give permissions to clients beyond what is given by the above public/private setting, you can use Shared Access Signatures to provide access to a blob, container, and make that access the right time interval with the right set of permissions.

    Let us know if that doesn't answer your question.


    -Jeff

    • Marked as answer by Arwind - MSFT Wednesday, June 6, 2012 10:18 AM
    Sunday, June 3, 2012 6:39 AM

All replies

  • unless you'd implement some form of authorization, there is barely anything preventing users from doing this - like with any other content hosting.

    With Azure Storage you can use Shared Access Signatures to manage permissions to blob storage, where you in particular can manage resource permission and lifetime. You'll need some code e.g. in your web application which creates SAS such as specific for a user and correlated session.

    However anyone gaining access to the URL (which includes the access signature) will have access to the resource, so you need to limit the lifetime to an amount suiting your situation, and for the items which should be shareable you can just set a longer lifetime.

    Friday, June 1, 2012 6:06 AM
  • Hi Tobin - to build on perpetualKid's response:

    1) A blob container can be made either public or private.  If it is public, it is read-able by any client with the URL.  Write/Delete/List operations all still require the account's key.  If it is private, then even read access requires the key.

    2) To give permissions to clients beyond what is given by the above public/private setting, you can use Shared Access Signatures to provide access to a blob, container, and make that access the right time interval with the right set of permissions.

    Let us know if that doesn't answer your question.


    -Jeff

    • Marked as answer by Arwind - MSFT Wednesday, June 6, 2012 10:18 AM
    Sunday, June 3, 2012 6:39 AM