Domestic github collapsed? It's anti-theft chain

This morning when I opened WeChat, I saw that the domestic github-gitee had collapsed.

The Issue list is full of feedback pictures showing abnormality. After a closer look, it turns out that it is the anti-theft chain of the picture bed.

scene reproduction

I have never used gitee before, so I quickly created an account to try it out.

I uploaded a picture in my gitee at , and it is displayed normally on the gitee site.

Right-click to copy the address of this picture, put it in a third-party online editor, and find that the picture has become the logo of gitee

What is anti-theft chain

Anti-theft chain is not to prevent a chain, the correct pause should be anti-theft chain - to prevent other sites from stealing my link.

I uploaded the picture to gitee's server, got the link of the picture, and then used the link in a third-party editor, which is "theft" - because this picture occupies gitee's server resources, but is the first The third-party editor works, gitee gets no benefits, and it costs more.

How to realize anti-leech

To achieve anti-leech, you need to know where the request for the picture is sent from. There are origin and referer in the request header that can implement this function. origin will only be carried in the XHR request, so the image resources can only be used with referer . In fact, gitee does exactly that.

By judging the referer of the request, if the source of the request is not this site, it will return 302, redirect to the logo of gitee, and finally refer to the resources of gitee on the third-party website, and it will become its logo.

You can see the process of requesting gitee pictures from third-party websites in the developer tools:

1. First request a normal picture, but instead of returning a 200, it is a 302 redirect, where the location in the response header is the address to be redirected to;
2. Then the browser will automatically request this location, and use this return result to replace the return content of the first request;

Finally, our picture becomes the gitee logo on the third-party website.

How to crack the anti-theft chain

If you want gitee not to know that I am embezzling, you cannot let him find out that the source of the request is a third party. Just hide the referer. You can try this code in the terminal:

curl 'https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg' \
 -o noReferer.jpg 

The meaning of this 👆 code is to request this jpg image resource, save the returned result in the current directory with the name noReferer.jpg , and without the referer, the test result is that the image is saved normally.

Just like adding the referer of the gitee site, you can request normally👇:

curl 'https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg' \
 -H 'referer: https://gitee.com' \
 -o fromGitee.jpg

And the effect of requesting on a third-party website is like this 👇 code

curl 'https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg' \
  -H 'referer: https://editor.mdnice.com/' \
  -o otherReferer.png

With the identification of the third-party website https://editor.mdnice.com it cannot be downloaded normally.

Is gitee not doing well enough?

After testing the above three pieces of code, I don't know if you will be confused, why doesn't gitee change the policy of "request source cannot be a third-party website" to "request source must be this site"? In other words, the control referer cannot be empty, and redirects as long as it is empty.

Because the url of the image is directly entered in the address bar of the browser, and then press Enter, the request initiated does not have a referer field. In this scenario, it would be unreasonable to return the gitee logo.

URL of the image: https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg

I can't see the picture, what should I do now?

If you use a lot of gitee pictures in your personal blog, you can add this line to the head section of html

<meta name="referrer" content="no-referrer" />

or

<img referrer="no-referrer|origin|unsafe-url" src="{item.src}"/>

To prevent the request from being redirected to the gitee logo by bringing the site origin.

If you are a visitor to the blog, you can use a chrome widget ModHeader to "erase" the referer

This way, third-party sites can be accessed normally.

Epilogue

The solution mentioned above is just a joke, and it is OK to temporarily restore it. However, it is most reliable to slowly migrate the images to your own server.

If you think this article is helpful to you, give me a like ~ this is very important to me

Click to see better!