|
|
|
|
|
|
by samtheprogram
263 days ago
|
|
|
The components work by requesting the image URL from your own server/API, at a route like `/_next/image`. The actual image URL that's passed as a prop to the component is passed to that API endpoint as a URL parameter. So, the endpoint is essentially a proxy that does additional image processing, like compression and width/height resizing (again, a URL parameter that the Image component or any other client can change based on the device / screen size in use). This means that without a domain whitelist, theoretically any image URL can be passed to the endpoint, which will then be processed and cached by your infra. This has been used in the wild, e.g. racking up charges on someone else's Vercel bill by requesting a bunch of images through this endpoint. |
|
|