So this fix would prevent someone from parking illegal images on our servers and then pointing to them from elsewhere, but it doesn’t prevent them from uploading a malicious profile image and then writing to a security agency, including a URL like https://my-ojs-domain.org/public/site/images/username/bio_pic.png and saying “See, this site has been hacked!” As I understand it, the technique to disable “image hotlinking” would not prevent https://my-ojs-domain.org/public/site/images/username/bio_pic.png from being accessed.
Hi @kshawkin,
Because the link to the image would be followed from an email client, it would not have a referrer URL set to something within the journal’s domain, and thus the viewer would be directed elsewhere.
Regards,
Alec Smecher
Public Knowledge Project Team
Ah, right, I see. Thanks for the quick replies!
1 Like