Can I restrict Amazon S3 Browser-Based Uploads by URL in my bucket policy -


based on: http://s3.amazonaws.com/doc/s3-example-code/post/post_sample.html

is there way limit browser based upload amazon s3 such rejected if not originate secure url (i.e. https://www.someurl.com)?

thanks!

i want absolutely guarantee post coming website

that impossible.

the web stateless , post coming "from" specific domain not valid concept, because referer: header trivial spoof, , malicious user knows this. running through ec2 server gain nothing, because tell nothing new , meaningful.

the post policy document not expires, can constrain object key prefix or exact match. how malicious user going defeat this? can't.

in client form have encrypted/hashed versions of credentials. 

no, not.

what have signature attests authorization s3 honor form post. can't feasibly reverse-engineered such policy can modified, , that's point. form has match policy, can't edited , still remain valid.

you generate signature using information known , aws; specifically, secret accompanies access key.

when s3 receives request, computes signature should have been. if it's match, privileges of specific user owning key checked see whether request authorized.

by constraining object key in policy, prevent user uploading (or overwriting) object other specific 1 authorized policy. or specific object ket prefix, in case, restrict user harm not under prefix.

if handing on policy allows object key overwritten in entire bucket, you're solving wrong problem trying to constrain posts coming "from" website.


Comments

Post a Comment

Popular posts from this blog

javascript - AngularJS custom datepicker directive -

i make custom datepicker directive custom template. but have no idea how start building it... how include date data directive? i appreciate guide or give me advice work on more precisely. it might you! follow below steps html code sample: <label>birth date</label> <input type="text" ng-model="birthdate" date-options="dateoptions" custom-datepicker/> <hr/> <pre>birthdate = {{birthdate}}</pre> <script type="text/ng-template" id="custom-datepicker.html"> <div class="enhanced-datepicker"> <div class="proxied-field-wrap"> <input type="text" ui-date-format="yy-mm-dd" ng-model="ngmodel" ui-date="dateoptions"/> </div> <label> <button class="btn" type="button"><i class="icon-calendar"></i>
Read more

javascript - jQuery date picker - Disable dates after the selection from the first date picker -

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>jquery ui datepicker - default functionality</title> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> $(function () { $("#datepicker1").datepicker(); }); </script> <script> $(function () { $("#datepicker2").datepicker(); }); </script> </head> <body> <p>date 1: <input type="text" id="datepicker1"></p> <p>date 2: <input type="t
Read more