locked
Access blob storage files by specific domain. (Prevent hotlinking in Azure Blob Storage) RRS feed

  • Question

  • Hi,

    My application deployed on azure, and I managed all my file to blob storage.

    When i created container with public permission then it accessible for all anonymous users. When i hit URL of file (blob) from different browser, then i will get that file.

    In Our application we have some important file and images that we don't want to expose. When we render HTML page then in <img> tag we define src="{blob file url}" when i mention this then public file are accessible, but same URL i copied and hit to anther browser then still it is visible. My requirement is my application domain only able to access that public file in blob storage.

       

    Amazon S3 which provide bucket policy where we define that for specific domain only file will accessible. see http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

    Restricting Access to a Specific HTTP Referrer



    • Edited by Prasad Phule Monday, February 23, 2015 12:52 PM Title changed
    Thursday, February 12, 2015 5:40 AM

Answers

  • hi Prasad,

    Thanks for your post back.

    All of SAS and CORS could work, but not comprehensive.

    For your requirement, " My requirement is my application domain only able to access that public file in blob storage.", If you want to stop the other domain site access your blob, you may need set the CORS for your blob. When the origin domain of the request is checked against the domains listed for the AllowedOrigins element. If the origin domain is included in the list, or all domains are allowed with the wildcard character '*', then rules evaluation proceeds. If the origin domain is not included, then the request fails. So other domain didn't access your resource. You also try the Gaurav's blog:

    http://gauravmantri.com/2013/12/01/windows-azure-storage-and-cors-lets-have-some-fun/

    If you access CROS resource, you also need use SAS authenticated.

    However SAS means that you can grant a client limited permissions to your blobs, queues, or tables for a specified period of time and with a specified set of permissions, without having to share your account access keys. The SAS is a URI that encompasses in its query parameters all of the information necessary for authenticated access to a storage resource (http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/ ).  So if your SAS URI is available and not expired ,this URI could be used to other domain site. I think you can try to test it.

    If I misunderstood, please let me know.

    Regards,

    Will


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Tuesday, February 24, 2015 2:14 AM

All replies

  • Hi Prasad,

    You can set the CORS for your blob. I recommend you could refer to this blog:

    http://blogs.msdn.com/b/windowsazurestorage/archive/2014/02/03/windows-azure-storage-introducing-cors.aspx

    You can create the CORS rule for your blob, such as this formatic:

    <CorsRule>
      <AllowedOrigins>http://www.contoso.com, http://www.fabrikam.com</AllowedOrigins>
      <AllowedMethods>PUT,GET</AllowedMethods>
      <AllowedHeaders>x-ms-meta-data*,x-ms-meta-target,x-ms-meta-source</AllowedHeaders>
      <ExposedHeaders>x-ms-meta-*</ExposedHeaders>
      <MaxAgeInSeconds>200</MaxAgeInSeconds>
    </CorsRule>

    Regards,

    Will


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Prasad Phule Tuesday, February 17, 2015 11:00 AM
    • Unmarked as answer by Prasad Phule Monday, February 23, 2015 11:38 AM
    Thursday, February 12, 2015 9:52 AM
  • Hi Will,

    My question is about "Prevent hotlinking in Azure Blob Storage".

    I got this one 

    http://stackoverflow.com/questions/13859599/prevent-hotlinking-in-azure-blob-storage?answertab=votes#tab-top

    and http://stackoverflow.com/questions/11015947/preventing-cross-linking-to-images-on-azure-blob-storage

    So, from this i thing there is no such specific configuration that azure blob provided. now SAS is the answer.

    If CORS works for it can you provide me a sample application.

    Monday, February 23, 2015 12:50 PM
  • hi Prasad,

    Thanks for your post back.

    All of SAS and CORS could work, but not comprehensive.

    For your requirement, " My requirement is my application domain only able to access that public file in blob storage.", If you want to stop the other domain site access your blob, you may need set the CORS for your blob. When the origin domain of the request is checked against the domains listed for the AllowedOrigins element. If the origin domain is included in the list, or all domains are allowed with the wildcard character '*', then rules evaluation proceeds. If the origin domain is not included, then the request fails. So other domain didn't access your resource. You also try the Gaurav's blog:

    http://gauravmantri.com/2013/12/01/windows-azure-storage-and-cors-lets-have-some-fun/

    If you access CROS resource, you also need use SAS authenticated.

    However SAS means that you can grant a client limited permissions to your blobs, queues, or tables for a specified period of time and with a specified set of permissions, without having to share your account access keys. The SAS is a URI that encompasses in its query parameters all of the information necessary for authenticated access to a storage resource (http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/ ).  So if your SAS URI is available and not expired ,this URI could be used to other domain site. I think you can try to test it.

    If I misunderstood, please let me know.

    Regards,

    Will


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Tuesday, February 24, 2015 2:14 AM