0

Say I have my file stored at (real credentials removed):

https://mystorageaccount.blob.core.windows.net/mycontainer/thumbnails/1234567890/thumbnail.jpg

A) This file is currently downloadable if I simply browse to it - I really don't think that should be possible.

B) I want to render this in my app without allowing the user to see the URL.

I am using PHP on the backend. Is there some method wherein I download the image to the server and render it from there? Is that efficient?

Any thoughts appreciated.

D'Arcy Rail-Ip
  • 11,505
  • 11
  • 42
  • 67
  • To `A)` thats how it works. You can download everthing you can see. To `B)` but then the user can just rihgt-click an save image as or just do a screenshot of the page?! Everthing that is parsed to the browser (client) is not anymore under your control. – JustOnUnderMillions Apr 20 '17 at 15:56
  • I don't mind that they save the image at all. I just don't want to reveal the storage structure of our images. – D'Arcy Rail-Ip Apr 20 '17 at 15:57
  • Ok, then parse the image directly with php read more here: http://stackoverflow.com/a/1851856/4916265 download the file with `file_get_contents('http://')` to local place and output it with method in the link. The real called file from the userbrowser can something like `getImage.php?id=refertotherealurl` – JustOnUnderMillions Apr 20 '17 at 15:58
  • write a script and put it on your `src=` attribute instead of the images url eg `src="getimg.php?id=1234567890"` then serve the real image from that script – RiggsFolly Apr 20 '17 at 16:01
  • base64 encode the image and use something like `src="data:image/jpeg;base64,....` – gabe3886 Apr 20 '17 at 16:14

1 Answers1

1

These are the options you have:

  1. Make the blobs/container public and embed with the public URL
  2. Generate a temporary SAS token for the blob and embed with URL + SAS token
  3. Download the blob from your backend with a storage key and stream it through it to the client

With option 1 the file must be publicly accessible, which I guess you don't want.

That leaves options 2 and 3.

If you are okay with revealing the URL, but only giving the user temporary access to the file, option 2 can be a good one.

Otherwise you only have option 3.

The good side of options 1 and 2 is that the blob download happens from Storage to user directly, and your app doesn't have to spend time/bandwidth on streaming files.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • 1
    I would go for option 2, just generate a short-lived sas token. The URL will be visible, but it will expire soon. Disadvantage of option 3 is that, at scale, it will impact the way you have to scale your webapp because you don't offload the traffic to the storage account. This might lead to an expensive situation :) – Niels Apr 21 '17 at 08:29