[dakiol]

I really didn't get what the post was about. I'm getting old or? And I thought I was clever because I work with distributed databases...

[devmor]

The post seems to be written by a developer that has never heard of caching and thinks they have invented some illicit solution by implementing it.

It makes very little sense - They don't want to ask users to trust Google's domain despite... integrating the user's google account? What?

[valiant55]

And in what way is this stealing? Caching a publicly available asset? Sounds like you are saving Google bandwidth/money.

[devmor]

Yes, quite the opposite. It did remind me of the old days though, when you could do the opposite and "hotlink" pictures from most websites and save yourself bandwidth costs!

[vmenon401]

I think the point is that they’re avoiding whitelisting Google and Github domains which is necessary to preprocess images from and use urls to images to their domain in an Image tag. That allows malicious users to send urls such urls to his _next image preprocess endpoint and get “free compute”. (Not sure why someone would do that other than to just screw with somebody).

He’s using BetterAuth hooks to fetch those images and upload to his trusted url to avoid such a scenario.

[devmor]

That does make sense, but I'm not sure why it was worth sharing.

[zaik]

The post assumes the reader is familiar with where things are happening and who is involved. Guess I'm not part of the target audience.

[lozenge]

Loading an img tag doesn't involve trusting a domain. Especially using crossorigin and refererpolicy attributes.