Problems with Allowed strict referral domains

belacmu
belacmu Member Posts: 3
edited March 15 in Developer APIs

Hi! I've been working on a project using Cloudinary's generative recolor, and now I'm trying to prepare it to go live. I want to make sure that nobody can start generating a ton of new image transformations, so I've turned on strict transformations, and set my deployment site on vercel as an "allowed strict referral domain". The issue is, I can't get it to work. I've also temporarily set localhost as an option, doesn't work either.

I can load my images, but when I try to load/make a new transformation, I get a 401 unauthorized error. If I turn off strict transformations then everything works fine. Any idea what is going on here, or what I can do/try to get this working? It seems like it should be straightforward


(I also looked into signing my image requests, but I am using Next Cloudinary, and couldn't figure out how to do that either)

Answers

  • SreeCloudinary
    SreeCloudinary Member, Cloudinary Staff Posts: 44

    Hi @belacmu ,

    Thanks for your question. The purpose of Strict Transformations is to not allow any other transformation to be generated dynamically apart from the pre-defined or that you have specifically allowed to use dynamically.


    I would recommend checking this article : https://cloudinary.com/documentation/control_access_to_media#strict_transformations

    Best Regards,

    Sree

  • belacmu
    belacmu Member Posts: 3

    Thank you for the response, I would like to refer you to the same article, specifically the "Allowed strict referral domains" section:

    "You can use the Allowed strict referral domains setting to set the referrer domains that are allowed to generate unsigned dynamic transformations, even when strict transformations are enabled. This setting can be found in the Security page of the Cloudinary Console Settings."

    This is what I am trying to do, but I'm not getting the expected result. I want there to be strict transformations, but there are certain domains that can still generate new transformations. Am I misunderstanding what 'allowed strict referral domains' do?

  • Cloudinary Team
    Cloudinary Team Administrator, Cloudinary Staff Posts: 170 admin

    Hi there,

    Your understanding of the documentation is correct. I took a look at your setup in the account settings and I checked the backend logs for your account. With regard to localhost, can you try localhost:*
    The referral domain uses exact matching, so localhost:* allows a server running locally on any port. Whereas localhost only allows https://localhost
    Please give that a try and let me know how it goes.

    I am not sure why your vercel app is not working though. I am continuing to dig into that and I will update you as soon as possible.

    Kind regards,

    Tia

    Helpful Links For You
    💬 Share questions, connect with other users in our Cloudinary Community forums and Discord server!
    🧑‍🎓 Join our Cloudinary Academy for free courses, workshops and other educational resources.
    📄 Read our documentation for in-depth details on Cloudinary product features and capabilities
    📰 Check out the Cloudinary blog for the latest company news and insights

  • Cloudinary Team
    Cloudinary Team Administrator, Cloudinary Staff Posts: 170 admin

    Hi there,

    For testing purposes, can you try making a request with a simple transformation such as setting only the width? Please let me know if that also is a 401 response.

    Kind regards,

    Tia

    Helpful Links For You
    💬 Share questions, connect with other users in our Cloudinary Community forums and Discord server!
    🧑‍🎓 Join our Cloudinary Academy for free courses, workshops and other educational resources.
    📄 Read our documentation for in-depth details on Cloudinary product features and capabilities
    📰 Check out the Cloudinary blog for the latest company news and insights

  • belacmu
    belacmu Member Posts: 3

    Thank you for a better response! :) I have done a bit of testing, and your hunch seems to be correct. When I have my domains set to allowed, I am able to make a request where the size of the photo is set, but I'm not able to get a gen_recolor transformation of that image. When I remove my domains from the list so that it's just strict, I am not able to set the size or do a recolor, both come back as a 401 response.


    I have tested this with both localhost:* and my vercel url, and they behave in the same way.

  • Cloudinary Team
    Cloudinary Team Administrator, Cloudinary Staff Posts: 170 admin

    Hi there,

    Thanks for your help with testing 😊

    I checked with my colleagues and have learned that this is a bug. The request is being denied because the referrer is not being passed through when generative recolor is used. I have created an internal ticket to get this fixed. It's not possible for me to share an eta on the fix. But I will be notified when the fix has been released and we will reach out at that time to let you know.

    If you have any questions in the meantime, do not hesitate to ask.

    Kind regards,

    Tia

    Helpful Links For You
    💬 Share questions, connect with other users in our Cloudinary Community forums and Discord server!
    🧑‍🎓 Join our Cloudinary Academy for free courses, workshops and other educational resources.
    📄 Read our documentation for in-depth details on Cloudinary product features and capabilities
    📰 Check out the Cloudinary blog for the latest company news and insights