Is it safe using "blob" for "worker-src" in CSP or is there a security drawback? Couldn't anyone start a worker then by passing a blob from any website?
Related
Just wondering if there is a way to add the "X-Robots-Tag: noindex" tag specifically to PDFs that are served from azure blob storage via an azureedge CDN url. For example -
Blob Storage URL - {subdomain}.blob.core.windows.net/container/test.pdf
CDN URL - {subdomain}.azureedge.net/container/test.pdf
I have read in some places that a way to do this is to add a robots.txt file to the $root container on the blob storage and set "Disallow: *.pdf", however it states that this is not completely reliable and I would rather set the X-Robots-Tag header. Is there a way in azure portal to set it up so that any "*.pdf" file being requested via either the blob or CDN url automatically has this header added to the response?
Many thanks in advance
You can find the CDN rule engine here(I am using Standard Microsoft tier):
Test result:
After storing a digital file in Azure blob storage, I want to provide a link to that file in my static website (that has no server side code). When a user clicks on that link user should be able to download that digital file to his/her computer. Question: How do you get the url of a digital file stored in Azure blob storage?
Each blob in Azure Storage has a URL of the following format:
https://account.blob.core.windows.net/container/blob
Where:
account is the name of your storage account, container is the name of your blob containerandblob` is the name of your blob.
Now that your requirement is that a user should be prompted to download the file directly without using any server-side code, these are the additional things you would need to do:
Make sure that the blob container's ACL is either set to Blob (recommended) or Public. If you set the ACL to Private, then you would need a Shared Access Signature (SAS) and that would require some server-side code.
Either set the content-type of the blob to application/octet-stream (default content type for any blob in Azure Storage) or set the content-disposition property to attachment; filename="your file name" to force the file download instead of displaying it inside the browser only. Recommended approach is to use content-disposition property.
I create the the Storage account, CDN Profile and CDN endpoint from powershell. But adding images to the storage account is a manual process after creating all azure components. Now we have the issue that images are not showing up in page. When I try to access the CDN image url directly, I get this error
The requested URI does not represent any resource on the server
But I can access the content directly by using blob storage url to ensure content exist. I tried changing the caching rules , but nothing is working. I have standard verizon cdn profile.
Any suggestions?
Update1 : When I delete the endpoint and recreate the endpoint with all images already loaded in Storage account, everything works fine. Any idea what is the predictable behaviour?
This error happens when you're using a "/" with the root container where the blob is present (sub-folders). for now the "/" are not supported, you can get around it by referencing the root container in the link, ex:
GET https://myaccount.blob.core.windows.net/$root/myphoto
When using the CDN, the format should look like the following:
http://<EndpointName>.azureedge.net/<myPublicContainer>/<BlobName>
There is also a cool tutorial on how to host static sites via blobs and CDN worth checking out: https://blog.lifeishao.com/2017/05/24/serving-your-static-sites-with-azure-blob-and-cdn
Documentation:
You can get more info from these links: https://learn.microsoft.com/en-us/rest/api/storageservices/Working-with-the-Root-Container?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/azure/cdn/cdn-create-a-storage-account-with-cdn
As far as I know in Azure Storage we can delegate access to our storage to single person using SAS on CONTAINER basis.
I need to delegate access on per BLOB basis to prevent hotlinking.
We are using Asp.Net MVC. Sorry for my English:)
Edit: And how new Azure user can create CDN?
So you can create a SAS on a blob. The approach is similar to the way you create a SAS on a blob container. Since you're using ASP.Net MVC, I'm assuming you would want to use .Net Storage Client API to create SAS on a blob. To create a SAS on a blob, just call GetSharedAccessSignature method on the blob object you have created.
For example, the code below would give you a SAS URL where user has permission to download a blob:
var sas = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.Read,
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-5),
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(15),
});
return string.Format(CultureInfo.InvariantCulture, "{0}{1}", blob.Uri, sas);
I wrote a blog post some time ago which describes SAS functionality on blobs and containers in more details: http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/
Regarding your question about CDN, I believe the functionality to create DSN nodes was taken away from the Windows Azure Portal when new portal was announced. I guess you would need to wait for the functionality to come up again on the portal.
I am looking at using azure Containers and Blobs to store images and videos for my website. I found http://msdn.microsoft.com/en-us/library/windowsazure/dd179354.aspx which talks about the different ALC settings but it did not answer one of my questions. If a Container/Blob are set to "No public read access" the site says that only the account owner can read the data. Would this mean that people could not access it by the URL but my MVC Web App hosted on an Azure VM would be able to access it via URL?
Please bear with me if the answer sounds a bit preachy & unnecessary lengthy :)
Essentially each resource (Blob Container, Blob) in Windows Azure has a unique URL and is accessible via REST API (thus accessible over http/https protocol). Wit ACL, you basically tell storage service whether or not to honor the request sent to serve the resource. To read more about authentication mechanism, you may find this link useful: http://msdn.microsoft.com/en-us/library/windowsazure/dd179428.aspx.
When you set the ACL as No public read access, you're instructing storage service not to honor any anonymous requests. Only authenticated requests will be honored. To create an authenticated request, you would require your account name and key and create an authorization header which gets passed along with the request to access the request. If this authorization header is not present in your request, the request will be rejected.
So long story short, to answer your question even your MVC application won't be able to access the blob via URL unless that authorization header is included in the request. One possibility would be to explore Shared Access Signature (SAS) functionality in blob storage. This would give time-bound restricted permissions to blobs in your storage. So what you would do is create a SAS URL for your blob in your MVC app using your account name and key and use that SAS URL in the application.
To further explain the concept of ACL, let's say you have a blob container called mycontainer and it has a blob called myblob.txt in a storage account named myaccount. For listing blobs in the container, the container URL would be http://myaccount.blob.core.windows.net/mycontainer?restype=container&comp=list and the blob URL would be http://myaccount.blob.core.windows.net/mycontainer/myblob.txt. Following will be the behavior when you try to access these URLs directly through the browser with different ACL:
No public read access
Container URL - Error
Blob URL - Error
Public read access for blobs only
Container URL - Error
Blob URL - Success (will download the blob)
Full public read access
Container URL - Success (will show an XML document containing information about all blobs in the container)
Blob URL - Success (will download the blob)