4

I have the following code in my AWS bucket policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::staticimages.co/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://domainname.co/*",
                        "http://www.domainname.co/*"
                    ]
                }
            }
        }
    ]
}

After I put in the referer code I can't access my images via the domains that are listed there.

Any ideas on what I'm doing wrong?

thx

Also I notice people use different SID text... what is this?

Adam
  • 19,932
  • 36
  • 124
  • 207

1 Answers1

4

I strongly recommend against using Referer as a way to control access to web images. The HTTP Referer request header is unreliable at best, since some people disable it in their browsers for privacy reasons, and others are behind firewalls that strip the header from all outgoing requests.

Of course, Referer will also be empty if someone navigates directly to one of your static images, which may not be as big of a problem. Regardless, it's not something you can rely on, and it will break the browsing experience for many visitors.

platforms
  • 2,666
  • 1
  • 18
  • 23
  • Is there a way to prevent other sites using image in S3? – Adam Jul 29 '13 at 08:52
  • Sorry, there's no reliable way to do that. As a practical matter, if an image is available on the web, it can be referenced on someone else's site. – platforms Jul 29 '13 at 08:57
  • No problem at all - wish I had better news for you. – platforms Jul 29 '13 at 09:01
  • 2
    You can use CORS setting to prevent other sites from referencing your assets. I've already put an answer for it here http://stackoverflow.com/questions/39731914/s3-with-cloudflare-disallow-direct-access/41099814#41099814 – tu4n Dec 12 '16 at 11:56