search

imgix / imgix.js

Responsive images in the browser, simplified
https://imgix.com
BSD 2-Clause "Simplified" License
964 stars 61 forks source link

parseUrl explicity strips out s param which breaks lazyLoaded secure urls #45

Closed scashin133 closed 9 years ago

scashin133 commented 9 years ago

https://github.com/imgix/imgix.js/blob/master/dist/imgix.js#L2318

You can see the effect of this at: https://maker.me/sarahmarino. The 400 bad request from imgix is due to the s param being stripped.

kellysutton commented 9 years ago

Hi @scashin133,

Unfortunately, imgix.js is not currently compatible with signed URLs. There is no way to securely sign images on the client-side with imgix at this time. The stripping of the s parameter is on purpose in this case.

To use imgix.js, you will need to use either an Amazon S3 Source or a Web Folder Source. Let us know if you have any more questions.

I'll close this issue once we've got things figured out for you.

scashin133 commented 9 years ago

Hey @kellysutton,

I want to make sure I understand correctly. The issue is that for lazy loaded images it will be changing params on the URL which would require a new s param to be generated. Generating the s param would require exposing our secret token to the web, which I agree is bad.

In our case we are not wanting any parameters to be updated if the s param is present, but understand that is probably a limited use case.

I'll explore using the web folder source.

Thanks!

kellysutton commented 9 years ago

@scashin133,

Yes, your summary is correct. You might be able to achieve what you're trying to do with the onParamOverride method. Play around with that to safeguard against the cast you outlined above.

I'm going to close this for now, let us know if we can be of any more help!

ryantownsend commented 6 years ago

We have another use-case for allowing secured URLs client-side.

Our preview environments on Netlify are created with dynamic hostnames, therefore we need Imgix to source images from arbitrary hostnames – therefore we have to use the Web Proxy configuration, which requires us to use secure tokens – we can't use Web Folder or Amazon S3.

In my view, this library should allow support for this feature, but make it clear to the developer it should not be used in production.

jayeb commented 6 years ago

Hi @ryantownsend, thanks for your feedback. I think the solution here is to rework this library slightly so the URL building is handled by imgix-core-js. While I don't think we'll ever expose URL signing as a first-class feature of imgix.js, using imgix-core-js to handle URL building would allow us to expose a way for users to pass in arbitrary options to the underlying library, which could include the secureURLToken parameter.

It might be awhile before we get around to this, but if you'd like to take a stab at it in a PR I'll be happy to review!