#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31

    RewriteCond for preventing IMG Hotlinking


    Code:
    ## .htaccess file located under public_html/images
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?option9.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?my.option9.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?editor.option9.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?community.option9.com [NC]
    RewriteRule .*\.(bmp|BMP|gif|GIF|ico|ICO|jpg|JPG|jpeg|JPEG|png|PNG|swf|SWF|psd|PSD|fla|FLA)$ http://www.option9.com/copyright.png [NC,R,L]
    The above should (in theory) allow my domain and all the above sub-domains (with and without https or www) while restricting all other referring domains the ability to link to the images under this directory and any sub-directories. It works, however it is still restricting https://my.option9.com/affiliates.php from linking to images under public_html/images.
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31
  4. #3
  5. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    The images on that page show up for me. And the mod_rewrite directives look fine, although it's unnecessary to include both the lowercase and uppercase versions of the extensions -- the NC flag takes care of that.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31
    Most all the images under the subdomain "my" are located under the subdomain's image folder, however the favorite icon is not and I am attempting to display some images that will be located on my public_html/images directory which are not loading fine. You cannot see this though because you cannot see the affiliates page.

    Try visiting https://my.option9.com/register.php and see if the favorite icon matches that on http://www.option9.com/. Or you can try clicking it in the page source (firefox ability).

    But, I didn't think of the extension case, ty for that.
  8. #5
  9. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    Oh, right. Referring to "public_html/" doesn't help us much, because we don't know what the system folder structure for these domains is.

    I see the same favicon for all three of those pages. I also get the same copyright.png when I open it via Firefox's view source page for all three of those pages.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  10. #6
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31
    Right... so what is wrong with my conditions that is not allowing my subdomains to access my main domain's image folder?
  12. #7
  13. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    I still don't see an image that should load but doesn't. You said there was a problem with one of the favicons, but I don't see that problem here.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31
    Well you stated the issue right there in post #5. The favicon is not suppose to be copyright.png. It's suppose to be favorite.ico however my rewrite conditions which are suppose to block any domains OTHER then what I have in my .htaccess from accessing my images folder. It is currently blocking all domains, even my subdomains that I need to have access.
  16. #9
  17. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    Ah. I should explain that when you open the image via the View Source page, the Referer header is not sent, so that is behaving as expected.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31
    Well that explains that, however since you are unable to see the page I am referencing that has the img tag on it I'll replicate it on the registration page. I have inserted this code:
    Code:
    <img src="http://www.option9.com/images/banners/100x100.gif" />
    into https://my.option9.com/register.php. You would think (given my .htaccess file) that I would be allowed to see the actual image on my.option9.com instead of copyright.gif. Please let me know if my registration page is showing a 100x100 pixel image or the below copyright.gif that Mod Rewrite replaces.

  20. #11
  21. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    I see the copyright.gif. Apparently the Referer header is not being sent for the "100x100.gif" image nor for the favicon. I'm not sure, but it may be be due to that page using HTTPS.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  22. #12
  23. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,130
    Rep Power
    9398
    1. Everything on a secure page should reference images/CSS/etc. securely too.
    2. I don't know if it's a specific rule, but in general going from https->http will not bring along a referrer.
  24. #13
  25. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    Originally Posted by requinix
    Everything on a secure page should reference images/CSS/etc. securely too.
    Good point. IE will give that annoying and/or confusing "mixed content" warning otherwise.

    One way to solve that is to use protocol-relative URLs:
    http://paulirish.com/2010/the-protocol-relative-url/
    http://www.stevesouders.com/blog/201...uble-download/
    http://blog.httpwatch.com/2010/02/10...ttp-and-https/
    http://stackoverflow.com/questions/5...p-www-site-org
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  26. #14
  27. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    159
    Rep Power
    31
    Alright then, you guys have cleared some things up then. I have simply just moved the images over to the sub-domain, but what about the favorite icon? It doesn't seem to be viewable even when hosted on the same domain. Is the <link rel="shortcut icon"> just not going to cooperate? Should I just remove the ico from the rewrite rule?

IMN logo majestic logo threadwatch logo seochat tools logo