How to prevent hotlinking to my images, but use them myself in my swf?

Question

My swf uses the Loader class to load in .jpg files. For example, let's say that my swf is at www.mydomain.com/myswf.swf. One of jpgs I want to load is at www.mydomain.com/images/myimage.jpg. I use:Loader.load(new URLRequest("http://www.mydomain.com/images/myimage.jpg))...and I also have tried:Loader.load(new URLRequest("/images/myimage.jpg))with the same results.Either one works fine, *until* I turn on hotlinking protection. On the Apache server hosting my site, I use a cPanel tool that changes the .htaccess file. (I can change the file directly but I have not done so yet.)When I turn on the default hotlink protection, my swf no longer can load the jpg. No matter what URLs I put into the tool as acceptable referrers, this remains the case. I know the URLs are correct, because I can imbed the jpg with html on other html pages in any domain I put in as a referrer. So in my example, I have put "http://www.mydomain.com" in as an acceptable referrer, and in http://www.mydomain.com/index.html I have the line:

...and it displays the image fine on the web page.If I check the box on the hotlink protection tool labeled "Allow direct requests (ie. entering the url to an image in your browser)", things are improved: I have partial hotlink protection, and my swf can now load the jpg. However, this means anyone else can make and deploy a swf on any domain which also can load the jpg. Also, anyone who enters the address "http://www.mydomain.com/images/myimage.jpg" will also see the jpg.I am hoping that someone with .htaccess savvy can tell me the magic code to allow a swf on my domain to load the external jpg, but still prevent any abuses, such as for a swf on a different domain to load the jpg, or for a user to enter the address to my jpg directly into a browser to view the jpg.FWIW here is what my htaccess file looks like, changing it to fit my example:RewriteEngine on suPHP_ConfigPath /home/stucco33 order allow,deny deny from all RewriteCond %{HTTP_REFERER} !^$RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/.*$ [NC]RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com$ [NC]RewriteRule .*\.(gif|png|bmp|swf|jpg|jpeg)$ - [F,NC](BTW This was discussed quite helpfully at http://forums.adobe.com/message/2111067#2111067 by the way. That is where I got the idea to allow direct requests.)I'd greatly appreciate any help so I don't risk disaster by blindly experimenting with htaccess on my live site.--Matt

Anonymous · Accepted Answer

Thanks very much Raymond, that helps.htaccess n00b that I am, I need to ask in followup: what is the consequence of allowing empty referrers? Does that allow crafty types to still be able to pull my jpgs by using their own empty referrers? Can I allow empty referrers from mydomain.com, but not allow them from anywhere else?If you allow empty referrers, anyone can type the url in any browser's address bar and retrieve the asset.Unless the people at Adobe find some way to send referrer info with the request in Mozilla browsers, I don't think you can protect your files using htaccess without requiring the user to log in -- and that might be another can of worms that might require setting up session tracking.

Anonymous · Answer

Here's what my .htaccess file looks like. Don't know if it makes a difference, but all the rewrite engine commands are within an IfModule tag.

<IfModule mod_rewrite.c>
RewriteEngine on

# This condition would allow access from no referrer
# Remove the hash if needed
# RewriteCond %{HTTP_REFERER} !^$

# Allow access from mydomain.com and www.mydomain.com
RewriteCond %{HTTP_REFERER} !^http://(www.)?mydomain.com/.*$ [NC]

# Allow access from mydomain.com and www.mydomain.com on port 12854
RewriteCond %{HTTP_REFERER} !^http://(www.)?mydomain.com:12854/.*$ [NC]

# file types to control
RewriteRule \.(gif|jpe?g|png)$ -
</IfModule>

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded