Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP referrer - AWS, Sharepoint and browsers

I have uploaded some files to a S3 bucket. In order to restrict access I have set up a bucket policy with HTTP referrer where redirects from a Sharepoint-site is allowed. I use Sharepoint because of the authorization of users that will access the S3-files. This works fine. But only with Firefox!

After searching around it seems that the other browsers (I've tried Chrome and Edge) blocks the HTTP referrer? What gives?

I can give access through AWS and IAM of course, but that complicates things a bit. At this point access control with O365 seems the easiest. But I don't want to force the clients to use Firefox.

(Note: based on the information you could ask why not use Sharepoint to host the files. I have a static html, and it is so easy to set up on S3. But perhaps there are some alternatives on Sharepoint?)

like image 809
Olav Avatar asked Dec 05 '17 19:12

Olav


1 Answers

consider if that is really what you want, if you use the http referrer policy literally anyone can access that resource, as you can see from this answer: https://security.stackexchange.com/a/135706 so it doesn't give any real protection.

in this case you might decide to just grant anyone access, as taken from the amazon aws documentation:

Granting Read-Only Permission to an Anonymous User

The following example policy grants the s3:GetObject permission to any public anonymous users. (For a list of permissions and the operations that they allow, see Specifying Permissions in a Policy.) This permission allows anyone to read the object data, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket.

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Warning Use caution when granting anonymous access to your S3 bucket. When you grant anonymous access, anyone in the world can access your bucket. We highly recommend that you never grant any kind of anonymous write access to your S3 bucket.

like image 63
davide bubz Avatar answered Sep 30 '22 07:09

davide bubz