Forum Moderators: phranque
I've developed a very simple page:
index.html
This index page has a flash object that list a few photo galleries and for each one shows an image, requested from a non-protected directory (direct and external accesses are allowed) and it works fine.
Cicking on the first gallery, it open an other page:
galleryA.html
which has an other flash object that requests images from a non protected directory (direct and external acesses are allowed). And it works fine.
Returning back to the galleries list page and clicking on the second gallery,
galleryB.html
It has the same flash object as above, but it requests images from a protected directory (no direct acesses are allowed, only requests from the host domain are allowed). And it seems to work fine with all browsers but FIREFOX fails opening images.
Why does Firefox block the image loading from flash?
The htaccess file is the following:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule ^(.*)$ http://www.example.com [NC,R,L]
What is wrong?
Thank you
Ale
[edited by: jdMorgan at 2:59 pm (utc) on Dec. 22, 2009]
[edit reason] example.com [/edit]
The solution is to allow blank referrers as shown in the code below.
Unfortunately, this means that any request without any referrer will be allowed, but it is the best you can do with a simple referrer-based access control.
Also, you should not redirect unwanted requests to your home page; For example, what if your .flv file is requested from a hotlink on another site, and you try to rewrite or redirect that .flv request to an HTML page? The player won't be able to render an HTML page, so this won't work.
Your best bet is to either rewrite or redirect to the same *type* of file, or to simply return a 403-Forbidden status, as shown below:
In addition, your original could would have interfered with the serving of custom error documents and other files such as sitemap.xml and robots.txt. If you use any of these files, they should be excluded from the rule as shown.
RewriteEngine on
#
# If HTTP referer is not our site and is not blank, return a 403-Forbidden response
# (exclude robots.txt, sitemap.xml, and custom error pages)
RewriteCond %{HTTP_REFERER} !^(https?://(www\.)?example\.com.*)?$ [NC]
RewriteRule !^(robots\.txt¦sitemap\.xml¦(custom-403-page¦custom-404-page¦custom410-page)\.html))$ - [F]
Any images, css, or scripts required by any of your error pages must also be excluded from the hotlink-prevention rule.
Replace all broken pipe "¦" characters above with solid pipe characters before use; Posting on this forum modifies the pipe characters.
A common problem that occurs while testing anti-hotlinking code is that the test results are affected by your browser cache. If your test results seem incorrect, be sure to completely flush (delete) your browser cache between tests, or disable it while testing (but don't forget to turn it back on afterward!)
Jim
Thank you again :)
Ale
