: How does tinypic.com referrer/redirect work? For example, if I embed this random image in a forum, it will show up normally: [IMG]http://i48.tinypic.com/350m3ut.jpg[/IMG] If I try to view the image

@Berumen354

This is done using the Accept HTTP header.

If you enter the URL oi48.tinypic.com/350m3ut.jpg in your address-bar the browser doesn't know yet what Content-type that URL returns (except that URL is already in the browser cache, I go into that a bit later). The browser then sends the "default" Accept header, which looks like this if you're using Firefox:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8


The tinypic.com-Server then evaluates the Accept header and notices that your browser is preferring a text/html type. So it knows which image you like and that you want a HTML document, in that case it redirects you to the "main page".

Now if you use that same URL in an <img>-tag (again assuming the URL is not cached yet), the browser assumes that the URL resolves to a image-resource. Firefox sends the following headers:

Accept: image/png,image/*;q=0.8,*/*;q=0.5


You can see that image/* are preferred to any other content-types (and Firefox obviously likes PNG files). Obviously in that case the image-file is returned instead of the redirect.

The point here is that the browser does not look at the URL to "guess" what content-type to expect. It just uses some default preferences depending on which use case (entering the URL in the address-bar, referencing the URL in an <img>-tag) is, well, used.

Of course some browsers may behave differently, and I'm sure tinypic.com also uses the User-Agent-header to decide whether or not to use the Accept-header - probably to not break the <img>-tag for any old or weird browser (I've noticed in my test with cURL, that tinypic.com does not use the Accept-header with the default cURL User-Agent-header).

Now about the cache: if the URL is in the cache, the browser does not need to hit the server to know what the response is going to look like (in the case of tinypic.com it's a JPEG-file), so in this case the server can't do a redirect, and the browser just display the image as usual.

I guess the important thing here is to prevent that, instead of the actual image, the redirect to the "main-page" is cached - because otherwise the browser would be doing a redirect even if the resource is referenced inside an <img>-tag (I'm not sure tough, so this could be wrong).

The hotlink protection of funnyjunk.com is probably implemented using the Referer-header (I could not reproduce it, but I can't imagine how to solve "hotlink protection" without the referer-header).

Vote Up Vote Down