0

In my forums i allow the user to enter the image URL in the message body but user can enter any random URL(instead of image URL), which can ask user the credentials like in this SO post Prevent HTTP Basic Authentication from displaying prompt for images .

Solution given in above post is not useful for me as i am tracking the user cookie and adding crossorigin="anonymous" will not allow browser to send the cookie and without my website wont function.

Is there is any easy to implement solution available , also it would be possible if anybody let me know how Stackoverflow does it.

Community
  • 1
  • 1
Rohit
  • 761
  • 1
  • 6
  • 8
  • when you are giving a user to enter something uncontrollable there are so many hacks you can't prevent. Image urls can look like images, behave like those, but underneath exploit so many flaws. That's why you see a lot of websites that only allow to upload an image. – Olga Khylkouskaya May 02 '17 at 05:53
  • 1
    Uhm, perhaps you're misunderstanding… `crossorigin="anonymous"` means that no cookie will be sent *to the server hosting the image*. Cookies will still be sent to *your* server. – deceze May 02 '17 at 05:58
  • @deceze , could you provide the links also explains this in detail. – Rohit May 02 '17 at 06:04
  • 1
    https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes - Even purely logically speaking… the browser will send a request, including cookies, to your server; it receives HTML as response, and the HTML response contains an ``… there's no way this image can prevent the browser from sending cookies *to you first*. – deceze May 02 '17 at 06:07
  • @deceze , how i should add this in my code ? and is there is any easy way to test this on local system i mean i have a code and on click of which it opens a basic auth popup in browser , i added `crossorigin="anonymous"` in the img tag but still on click on url it opens a popup. – Rohit May 02 '17 at 08:43

0 Answers0