Early this morning, I opened wechat and saw that Gitee, a Chinese github, had crashed.

The list of issues is full of abnormal display of feedback pictures. After a closer look, it turns out to be the anti-theft chain of the graph bed.

Scene: the repetition

Having never used Gitee before, I quickly set up an account to test it out.

I uploaded a picture in my Gitee, it is normal to display it in gitee site.

Right click to copy the address of the image, place it in a third-party online editor, and find that the image has changed to gitee’s logo

What is anti-theft chain

Anti-theft chain is not a chain, the right pause is anti-theft – to prevent other sites from stealing my links.

I uploaded the image to Gitee’s server, got a link to the image, and then used the link in a third-party editor. This was “stealing” — because the image was using Gitee’s server resources, but working for a third-party editor cost Gitee no benefit and more money.

How to achieve anti-theft chain

To achieve anti-theft chain, you need to know where the picture request is from. This can be done with Origin and referer in the request header. Origin is only carried in XHR requests, so image resources have to be referer. And that’s exactly what Gitee did.

By judging the referer of the request, if the source of the request is not from this site, 302 will be returned and redirected to gitee’s logo. Finally, all resources referenced by Gitee on third-party websites will become its logo.

You can see the process for third-party websites requesting Gitee images in the developer tools:

  1. We first request a normal image, but instead of returning 200, we redirect 302, where location in the response header is the address to which we want to redirect.
  2. The browser then automatically requests the location and returns the result instead of what was returned in the first request;

In the end, our image became the Gitee logo on a third-party site.

How to crack anti-theft chain

To make sure gitee doesn’t know I’m stealing, he can’t find out that the request came from a third party. Just hide the referer and try this code on the terminal:

curl 'https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg' \
 -o noReferer.jpg 
Copy the code

This 👆 code requests the JPG resource, saves the result as noreferer.jpg in the current directory, and does not have the referer. The result is that the image is saved normally.

Just like adding the referer of gitee site can be requested normally 👇 :

curl 'https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg' \
 -H 'referer: https://gitee.com' \
 -o fromGitee.jpg
Copy the code

The effect of a request on a third-party site is like this 👇 code

curl 'https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg' \
  -H 'referer: https://editor.mdnice.com/' \
  -o otherReferer.png
Copy the code

Take the third party web site logo https://editor.mdnice.com finally unable to download.

Is Gitee not perfect enough

After testing the above three pieces of code, you might wonder why Gitee doesn’t change its policy from “requests can’t come from third-party sites” to “Requests must come from this site.” In other words, control the referer cannot be empty and redirects whenever it is.

Since the url of this image is directly input in the address bar of the browser and then press enter, the request initiated does not have the referer field. In this scenario, it is not reasonable to return the Gitee logo.

The picture url:https://images.gitee.com/uploads/images/2022/0326/155444_dc9923a4_10659337.jpeg

I can’t see the picture. Now what

If you have a personal blog that uses a lot of gitee images, you can add this line to the HEAD section of your HTML

<meta name="referrer" content="no-referrer" />
Copy the code

or

<img referrer="no-referrer|origin|unsafe-url" src="{item.src}"/>
Copy the code

To prevent requests from being redirected to the Gitee logo with the site source.

If you’re a blogger, you can erase the referer with the help of a chrome widget called ModHeader.

In this way, third-party sites can be accessed normally

conclusion

The solution mentioned above is just a joke, temporary restoration can be used. However, it is most reliable to slowly migrate images to your own server.

If you find this article helpful, give me a thumbs up. It means a lot to me

Click a follow better!