HotLink Protection not working


#1

This site http://www.arabiya.us/36-wedding-sparklers.html is displaying images linked from my client’s site sparklersonline.com.
In Cloudflare I have hotlink protection on for that domain… why are these images able to be displayed on that site?


#2

It doesn’t appear that they are. If you look at the page source (you’ll see an alt address for on error) and/or right-click one of those images and choose ‘copy image address’ it’s giving a different address.

When I attempt to go directly to the assets I get an error as well. https://www.sparklersonline.com/media/shop/wedding-sparklers-36-inch.jpg

So likely they downloaded the images and uploaded them to a CDN of their own, but try your client’s first in an attempt to save themselves bandwidth on stolen content and serve only when they have to.


#3

If I inspect the very first image I see it’s src is the cleint’s site.

I also see this in the network panel.

Their onerror attribute loads an image from their domain that is 255x255. The original from the client’s site is 500x500, and that is what is being downloaded by the browser.

Could it be they are somehow spoofing the referrer?


#4

When I check my Console tab, I could see that every request to your client’s domain has the status of 403 Forbidden. So, there is a hotlink protection, from the request header, I don’t think they are spoofing the referrer.

sparklers1

Checking the Elements tab, shows that the images is loaded from their gstatic.com CDN.

sparklers2


#5

I also don’t see the site in the list of content sources in chrome’s development console (quick check before I head to work so I could have missed it).


#6

I appreciate everyone checking! Why is it on my computer I get the images loaded from my client site, but you folks get the onerror-loaded images from the evil site?

I can’t check right now, but can it be my IP in the firewall whitelist doing this?


#7

I believe that’s possible/ likely if you’re seeing different behavior than we are.


#8

Yes, that was it. I removed myself from the global whitelist, reloaded that page, and the images disappeared.
Something new learned for me today!