glimesh.tv icon indicating copy to clipboard operation
glimesh.tv copied to clipboard

Published 20 hours ago verified publisher icon Glimesh

hotlinking bio images could allow for ip logging

Open Cykotiq opened this issue 3 years ago • 2 comments

because images on user profiles are not hosted by us or proxied, a malicious streamer could track users' IP addresses by including a tracking pixel or image

Cykotiq avatar Feb 17 '21 23:02 Cykotiq

A mini service for proxying images is the best route probably? Add protection there to ensure it's only usable via Glimesh (eg. referer checks?).

Optionally could optimise images at this point. Either lossless or into modern web standards.

LukeHandle avatar Feb 23 '21 15:02 LukeHandle

I did some prototyping of this idea on Cloudflare Workers and I think this is a viable solution.

Notes:

  • Using a separate parent domain here is "safer". It's untrusted media and there's always a risk it might impact SEO (/safe browsing etc. ?)
  • We only want to use this for embedded images - it's not a general proxy
    • Proxied content must have a Content-Type header and it must start with image/
  • We only want to allow use by Glimesh.tv (and avoid 3rd parties piggybacking on it)
    • If a Referer is set, it must be for glimesh.tv domain (optionally could add more domains/flexibility?)
    • Empty Referer is okay (eg. a user opening the URL directly)
  • Image Optimization would be "cool" but not required. We could add a Content-Length max size check?
  • We should set the Accept header of the upstream request based on the client so upstreams can serve webp when supported etc.

@clone1018 / others, please review this ^^ whether this is enough or we should protect/restrict usage more.

Pros:

  • Free plan is generous with 100,000 requests/day (peak of 1000 requests/minute). CPU/Mem limits should be irrelevant
  • We don't have to worry about security or IP leakage as it's Cloudflare requesting the resource from the proxy location
  • We technically aren't leaking the site to the upstream either (though we could optionally add a Referer if this is an issue?)
  • Cloudflare can cache responses itself
  • We could further push logging/usage data into another service if we wanted

Cons:

  • We can't optimize any images ourselves
  • Only basic metrics available by default
  • Hitting ratelimits would disable the proxy. Either could pay $5/month for 10M requests/month (bargain) or it can gracefully fall back to a service we run
  • Cloudflare IP ranges are shared and possibly might get blocked (though that seems unlikely)

Potentially (and maybe a future issue) could instead run the proxy ourselves to benefit form image optimizations. But, how important (if at all) is this.

LukeHandle avatar May 11 '21 13:05 LukeHandle