Based on: http://ift.tt/1o79bHc
Is there a way to limit a browser based upload to Amazon S3 such that it is rejected if it does not originate from my secure URL (i.e. https://www.someurl.com)?
As far as I could tell there is no way in the S3 bucket policy to set this. It only allows for "Action": "s3:PutObject" which is overridden by the POST policy.
This is not acceptable if any malicious entity could simply copy and paste the tags for the upload and then upload files to my bucket outside the confines of my app.
I am surprised as the bucket policy allows me to control everything else (e.g. PUT, LIST, GET, etc.) such that if the request does not come from my website (via "aws-referrer" conditions) the request fails.
I love the client side simplicity of the concept of the HTTP POST to the bucket but if anyone can use it outside the confines of my website's URL I find that very scary.
NOTE: I do understand how the upload policy works and that one can limit it to size, file type, etc. but that is simply not good enough. I want to absolutely guarantee the post is coming from my website or I will have no choice but to go through an EC2 proxy which is far less efficient and more costly.
Thanks!
Aucun commentaire:
Enregistrer un commentaire