---- attempt to block hot-linking actually blocks everything
andreasfriedrich - 2:45 am on Sep 28, 2002 (gmt 0)
>>If I wanted to link to the images then, couldn't I do: >>http://www.domain.tld/../images/img.png?
no - it won't work. only pages and scripts on your server can link to directories at the same level as /web - there is no direct URL access to these files. try it yourself and you'll see there is no need for .htaccess files to block hotlinks.
Sure enough this produces an 400 Bad Request error. The URI /../images/img.png is invalid.
then change image links from <img src="images/filename.jpg" to <img src="../images/filename.jpg"
Now I donīt understand how that differs from the previous example. An User-agent will need to resolve the the relative URI in the context of the documentīs URI the image was referrenced in. This is done according to the following rules:
a) All but the last segment of the base URI's path component is copied to the buffer. In other words, any characters after the last (right-most) slash character, if any, are excluded.
b) The reference's path component is appended to the buffer string.
c) All occurrences of "./", where "." is a complete path segment, are removed from the buffer string.
d) If the buffer string ends with "." as a complete path segment, that "." is removed.
e) All occurrences of "<segment>/../", where <segment> is a complete path segment not equal to "..", are removed from the buffer string. Removal of these path segments is performed iteratively, removing the leftmost matching pattern on each iteration, until no matching pattern remains.
f) If the buffer string ends with "<segment>/..", where <segment> is a complete path segment not equal to "..", that "<segment>/.." is removed.
g) If the resulting buffer string still begins with one or more complete path segments of "..", then the reference is considered to be in error.
Now we need to recursively remove "<segment>/..". Trying, trying, trying real hard, but it wonīt work, since "<segment>" is "www.domain.tld" which is not a path element. Now either the UA will fail at that point or it will connect to www.domain.tld and request "/../images/filename.jpg" which is an invalid URI. Sure enough this produces an 400 Bad Request error.
BTW the cause of this error is NOT even remotely related to permissions set in the server config or the file system. There is just no way to name a resource that resides outside of the namespace which you are trying to use to name it.