We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

Ashu7878's avatar
Ashu7878
Explorer | Level 3
6 years ago

Direct link for file download

Hello All,

I am new here and new to Dropbox integration. In my application we use chooser to select the files from end-user's dropbox account. When the user selects a file, the response contains a download url which is something like this - https://dl.dropboxusercontent.com/1/view/uziu191sh0ilvkq/Get%20Started%20with%20Dropbox.pdf

Now my problem is that, if this request is intercepted by someone and they change this url, it lets user to upload the the file from other source. This is wrong behaviour. I want to restrict user to upload files only from Dropbox. So wanted to know if the domain name used in above example ("dl.dropboxusercontent.com") will always be same irrespective of end-user's country. If this domain is same we can match this as a pattern in backend and discard all other requests. 

Has anyone faced this kind of problem before and any help on how to solve it would be helpful. 

Thank you in advance.  

API
Share
  • Jane's avatar
    Jane
    Icon for Dropbox Staff rankDropbox Staff
    6 years ago
    Hey Ashu7878, welcome aboard! 
     
    Following-up from what you’re describing us, I’m wondering whether your inquiry pertains to how you could integrate Dropbox with an app you’re developing or you’re referring to a specific integration that you’ve incorporated in your workflow. 
     
    Would you mind clarifying this point for me, as this would lead us to the best next steps? 
     
    Thanks in advance!
    • Ashu7878's avatar
      Ashu7878
      Explorer | Level 3
      6 years ago

      Hi Jane, 

      Sorry for the confusion. I am referring to a specific dropbox integration that I have incorporated in the workflow. 

       

      • Jane's avatar
        Jane
        Icon for Dropbox Staff rankDropbox Staff
        6 years ago
        Thank for clarifying Ashu7878
         
        As you mentioned that you’re using an existing integration with Dropbox, I’d appreciate it if you could specify which one it is in your next message. Are you using File Requests to collect the files by any chance? If so, then anyone with the link should be able to upload, however you can close it at any time when you'd like to stop receiving files. 
         
        Incidentally, have you by any chance run into this issue? If that’s happened, I’d like to replicate & see if I’m getting the same results on my end, so it would be very helpful if you described me what’s led you to this in as much detail as possible. 
         
        I look forward to hearing back from you!
  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff
    6 years ago

    Ashu7878 Right now, the direct links returned by the Dropbox Chooser are always on dl.dropboxusercontent.com, but that isn't officially documented or guaranteed, so I can't promise that won't change. 

    I'll pass this along as a request to officially document/guarantee that, but I can't say if or when that might be done.

    • Ashu7878's avatar
      Ashu7878
      Explorer | Level 3
      6 years ago

      Hi Greg, 

      The direct link domain is going to be same (which is dl.dropboxusercontent.com) for all the countries from where user accesses dropbox account or it will change? What I mean is if user accesses it from uk will it change to something like this - dl.dropboxusercontent.co.uk ? We have user's across globe who will be accessing this.

      Also the problem I am trying to solve here is not about the domain name but more of how to verify that source of direct link is from DropBox in the request. If a malicious user intercepts the request and modifies the direct link in the request, a different file will be uploaded. 

      I would love to know how some of other people here who use DropBox chooser have solved this kind of problem.

      • Greg-DB's avatar
        Greg-DB
        Icon for Dropbox Staff rankDropbox Staff
        6 years ago

        Ashu7878 The domain is the same for all users from all countries. I just can't promise that it won't change in the future.

        In general though, there isn't a way to verify the source of the link since it is shared locally in JavaScript in the client, and the client can't be trusted (since it is under the control of the user, who may or may not be malicious). If you have any general web security questions, I recommend reaching out to a security professional. 

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 12 months ago
325 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!