To all who have participated on this discussion Thank you very much. With
all the feedback I received from here, we were able to come up with a cross
browser solution which worked quite well. The challenge was to embed the
output of the CFcontent tag with the rest of the page. This of course is
not doable, as CFcontent explodes to the full extent of the window.
Using Frames and Layers and the cf_aebrowser custom tag we were able to
create a secure and simple solution.
Secure: because it is a cfm document and it validates user authentication
while never displaying the file name or the location
simple, only cfcontent and some browser check code. Much more simple to
implement than a $40,000 server to protect content (company name will be
witheld :))
If you are interested in seeing it in action, go to:
http://www.edificium.com/imagetest/getstuff.cfm
This doesn't take into account our security framework, but it shows how it
works.
Again, thanks a lot to all who have helped out on this matter.
Nadir Ait-Laoussine
PS: I would be glad to make the code available to anyone who would like it.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 02, 2000 1:02 PM
To: CF-Talk
Subject: RE: Protecting Content / content leeching... A CF method?
As anyone who's ever worked with HTTP at the protocol level (or with CFHTTP)
can tell you, the way it works is you fetch the html (or cfm) document in
question, then parse through it looking for all the img url, then fetch them
BASED ON THIER URL.
Thus it's impossible to protect them. You can use cfcontent with a cfm to
obsure their actual physical location. But whether the image is at
"images\bob.gif" or "images.cfm?image=bob.gif" they still retrieve the
content for display (or to save).
You could do additional cgi user agent and refer(r)er checking to stop
casual direct grabs from the browser command line, but it won't stop
anything else.
Since it's a relative url based the wwwroot of the domain I'm not sure why
it would matter anyway unless the images are to be password protected..
--min
> The issue is not to make a document not available to someone who
> can see it
> but to someone who cannot see it...
>
> Case in point... the <img src="..."> tag will let you know that a file is
> located at /a/b/file.jpg
> so you could go to the location bar and look for that image. You
> could get
> tricky and try to view other files located at that location...
> /a/b/anotherfile.jpg. For us, that is a problem. The img tag reveals a
> little too much information.
>
> So the concern is not so much the document itself, but rather the
> ability to
> figure out where it is located. It's been recommended to me to use CF
> mappings to substitue for that, problem is that CF mappings, as far as I
> know, do not work with the IMG tag, let alone the EMBED tag.
>
> So I am left with the CFCONTENT tag, problem with the content tag
> is that it
> takes over the entire screen. I've tried to embed it in a layer
> or IFRAME,
> but it still takes over the whole window.
>
> There are a few PERL scripts out there that "mask" the path to
> the file. So
> by typing www.mydomain.com/getstuff.cgi?image.jpg, the script
> would display
> the image but masking it's location (which in reality is not a
> web location,
> but a physical location on the web server [c:\...]) This works well except
> that all the scripts that I have tried choke (by that I mean render only
> part of) the file. regardless of the MIME type. I think the problem is
> that those scripts were written on UNIX, and we are on WIN2K.
>
> So that is where we are.
>
> Note that the last option (the PERL option) is still not exactly
> what we are
> looking for because of
> 1. security problems with CGI scripts in general
> 2. it does not work with the IMG tag.
>
> Nadir
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
