[devmor]

The post seems to be written by a developer that has never heard of caching and thinks they have invented some illicit solution by implementing it.

It makes very little sense - They don't want to ask users to trust Google's domain despite... integrating the user's google account? What?

[valiant55]

And in what way is this stealing? Caching a publicly available asset? Sounds like you are saving Google bandwidth/money.

[devmor]

Yes, quite the opposite. It did remind me of the old days though, when you could do the opposite and "hotlink" pictures from most websites and save yourself bandwidth costs!

[vmenon401]

I think the point is that they’re avoiding whitelisting Google and Github domains which is necessary to preprocess images from and use urls to images to their domain in an Image tag. That allows malicious users to send urls such urls to his _next image preprocess endpoint and get “free compute”. (Not sure why someone would do that other than to just screw with somebody).

He’s using BetterAuth hooks to fetch those images and upload to his trusted url to avoid such a scenario.

[devmor]

That does make sense, but I'm not sure why it was worth sharing.