if (location.host.search(/crockford.com$/i) != -1) { alert("Stop hotlinking me!"...

hk9565 · on Dec 31, 2010

You can definitely fool that: http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf

adamdecaf · on Dec 31, 2010

window.alert = function () {};

tlrobinson · on Dec 31, 2010

    if (location.host.search(/crockford.com$/i) != -1) {
        throw "Stop hotlinking me!";
    }

simonsarris · on Jan 1, 2011

You code should read != 0 to have the desired effect.

And even then, this can bypass it:

  var temp = String.prototype.search;
  String.prototype.search = function() { return 0};

    if (location.host.search(/crockford.com$/i) != 0) {
        throw "Stop hotlinking me!";
    }

  String.prototype.search = temp;

Though that may cause other problems.

tlrobinson · on Jan 3, 2011

My point was that it's just a game of cat and mouse. I could come up with lots of workarounds for almost anything you throw at me. Example:

    var expectedHost = "crockford.com";
    if (expectedHost.length !== location.host)
        throw "Stop hotlinking me!";
    for (var i = 0; i < expectedHost.length; i++)
        if (location.host[i] === expectedHost[i])
            throw "Stop hotlinking me!";

(though it string[x] might not work in every browser)

So thanks for further demonstrating my point!

But really, just check the referrer header.

jerf · on Dec 31, 2010

Point. I was unclear in my phrasing, I was more looking into just not accidentally bypassing it. Deliberately bypassing it probably can't be stopped but really at that point you've already lost. Given what I've seen in the world somebody grabbing an existing proxy script and regexing out the check and never once stopping to think this is way worse than hosting the file yourself wouldn't even make me blink.