search

sanity-io / sanity

Sanity Studio – Rapidly configure content workspaces powered by structured content
https://www.sanity.io
MIT License
5.19k stars 419 forks source link

Prevent hotlinking of CDN assets #7206

Open Ojay opened 2 months ago

Ojay commented 2 months ago

Describe the bug

A very popular South Korean blog has hotlinked a few of our images, our usage quota has subsequently gone through the roof.

To Reproduce

Copy any old CDN link to an image and paste it into your code.

Expected behavior

Ensure CDN images are only served to CORs defined urls, or at least provide a setting to allow/deny, which is a common feature of most CDNs.

Additional context

We're now in a situation where we're going to have to pay for resources we haven't used ourselves. I've seen other enquiries about this issue but can't find any kind of resolution anywhere. We'd really love some measures to deal with this kind of asset abuse.

Here's an example of a request from our logs...

{
  "timestamp": "2024-07-18T23:55:43.378829433Z",
  "traceId": "792b8c18091ecb456ec56e9a9a4b135e",
  "spanId": "069a748ff11ab809",
  "severityText": "INFO",
  "severityNumber": 9,
  "body": {
    "duration": 1.377,
    "insertId": "w751dff44771n",
    "method": "GET",
    "referer": "https://m.post.naver.com/viewer/postView.naver?volumeNo=38076930\u0026memberNo=64595161\u0026ecid=tgeP4tpn2NbsSt-2kLW2YWpi0rdqqeEtukBDgEqUXwc\u0026request_id=354e5dc44c09b93b",
    "remoteIp": "223.39.211.104",
    "requestSize": 664,
    "responseSize": 97421,
    "status": 200,
    "url": "https://cdn.sanity.io/images/[redacted]]/production/04aab995c9423370aa9a857d6bfd6e78bf2ce0fc-1200x800.jpg",
    "userAgent": "Mozilla/5.0 (Linux; Android 14; SM-S921N Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/114.0.0.0 Whale/1.0.0.0 Crosswalk/28.114.0.21 Mobile Safari/537.36 NAVER(inapp; search; 2000; 12.6.4)"
  },
  "attributes": {
    "sanity": {
      "projectId": "[redacted]]",
      "dataset": "production",
      "domain": "cdn",
      "endpoint": "images",
      "groqQueryIdentifier": "",
      "apiVersion": "",
      "tags": [],
      "studioRequest": false
    }
  },
  "resource": { "service": { "name": "Sanity.io" }, "sanity": { "type": "http_request", "version": "0.0.1" } }
}

The post in question doesn't appear to have the image displayed anywhere, it's not in the source, but these logs are from yesterday.

Thanks!

mirshko commented 4 hours ago

+1 Here!

We're looking at Bunny.net as an alternative bc of this missing feature.