[HN Gopher] You can't download this image ___________________________________________________________________ You can't download this image Author : calmingsolitude Score : 111 points Date : 2021-11-27 09:30 UTC (13 hours ago) (HTM) web link (youcantdownloadthisimage.online) (TXT) w3m dump (youcantdownloadthisimage.online) | sys_64738 wrote: | There's a multitude of ways to workaround this hack. You can | easily grab the screen area via the OS if need be. Seems | pointless to try to restrict access if it's viewable in a | browser. | thih9 wrote: | Somehow right clicking + saving worked fine on Safari (desktop). | I tried it a couple of times and it worked in all cases; | sometimes it took a second, sometimes more. Perhaps the server | dropped the connection? | [deleted] | huhtenberg wrote: | https://youcantdownloadthisimage.online/lisa.jpg... and? | mmmeff wrote: | Try reading | [deleted] | dobladov wrote: | curl --max-time 1 | https://youcantdownloadthisimage.online/lisa.jpg > lisa.jpg | shrx wrote: | Results in an empty file. | dobladov wrote: | Increase the time a bit, it looks like sometimes it takes | more time to download curl --max-time 2 | https://youcantdownloadthisimage.online/lisa.jpg > lisa.jpg | shrx wrote: | Nevermind, looks like MobaXterm shell provides a non- | standard curl implementation: | | $ which curl | | curl: aliased to _tob curl | | After installing curl with apt-get it works. | hdjjhhvvhga wrote: | I hate it when people do that. You can wonder for hours | why something obvious doesn't work as it should and in | the end discover someone decided to implement something | substandard, often for no good reason. | ducktective wrote: | that's every distro and *nix derivation | judge2020 wrote: | And powershell! | hdjjhhvvhga wrote: | Well, Windows too. I recently had to set up something | simple on a Windows 10 machine, I quickly checked by tab- | completion if a python binary is available so I copied by | setup script only to discover someone smart decided to | redirect the binary to the Windows Store. Yes, I know the | rationale behind this, but still. Just like hijacking | nxdomain. | post-it wrote: | _Especially_ curl. | https://daniel.haxx.se/blog/2021/05/20/i-could-rewrite- | curl/ | styluss wrote: | Add -N, --no-buffer Disables the buffering of the output | stream. In normal work situations, curl will use a standard | buffered output stream that will have the effect that it will | output the data in chunks, not necessarily exactly when the | data arrives. Using this option will disable that buffering. | | and it works | worldofmatthew wrote: | Copy and Pastes works fine. | ravenstine wrote: | There's another way to achieve this in a more malicious way. | Granted I haven't tried it in years, but it was possible back in | 2017 when I tested it. | | The idea is to fake the image that's being displayed in the IMG | element by forcing it to show a `background-image` using `height: | 0;` and `padding-top`. | | In theory, you could make an IMG element show a photo of puppies | and if the person chose to Right-click > Save Image As then | instead of the dog photo it could be something else. | | For some reason I can't Oauth into Codepen so for now I can't | recreate it publicly. | bellyfullofbac wrote: | Not very new, the technique's probably been around since the | 2000's... e.g. you can't right click, save as on the web | version of Instagram because all the images are background- | images attached to DIVs. In the "old days" there'd be a 1x1 | transparent GIF above the image, so any downloader would | download that instead. | trulyme wrote: | More like 1990s, but yes. | sumthinprofound wrote: | Firefox on Android long press save image no other action taken | and it shows up in my device photo gallery. | | (edit: clarity) | unfocused wrote: | In Chrome, you can just do as the author says, right click and | "Save Image As". | | Then just go to the folder where it is being downloaded, and | copy/paste the file "lisa.jpeg.crdownload" to | "lisa.jpeg.crdownload copy". | | Rename to "lisa.jpeg" and cancel the download. You now have the | image. What's interesting is that you _ARE_ actually downloading | this image. It 's just that they don't terminate the connection. | julieturner99 wrote: | i paused the download and renamed the file to .jpeg and it | worked similarly | chunkyks wrote: | We have a security proxy at work that gives you the bits, but | then holds the connection open while it does a scan, then | resets the connection if it doesn't like something inside. Both | Chrome and Firefox [haven't tried IE/Edge, but I assume that | they'll do something that the proxy vendor would want] infer | [or are told?] that the connection broke and delete the interim | file. Unfortunately, with zip files, the header is at the end; | so it can't do scanning until the whole file is down. | | For me, the easiest way to mitigate it turned out to be to use | wget [with an appropriate user-agent... say, the same as my | desktop browser]. wget Gets the bits, but doesn't in any way | molest the "partial" download when the connection resets. Then | it tries to download the rest using the "Range" HTTP header, | and the server says "oh, dude, you already got the whole | thing"; wget declares success, and all the bits are in my | download folder. | | I believe that we pay, like, a lot for this proxy, which is | annoying on two counts: 1) If _I_ can get past it trivially, | then presumably competent attackers can, too, and 2) Sometimes | it takes a dislike to legitimate stuff, which is how I was | forced to learn how to get around it. | RolloTom wrote: | wget and aria2c both works. I get a jpg image 54,8 KiB, SHA256 | sum | 204788602166C017B8FEF5D63EDFD814DC9865233C410BCDAD713F78DAE5AF18 | human wrote: | No issue downloading it on iOS. | eyelidlessness wrote: | Same. Oddly, the page itself remained in a loading state even | after downloading succeeded. | Supposedly wrote: | right click > copy image > paste somewhere | | Works for me :) (I pasted in Telegram FYI) | LeoPanthera wrote: | Safari Mac, I dragged it out of the page and into a Finder | window, and it saved. | tomashubelbauer wrote: | I right-clicked and pressed Open Image in a New Tab and then | pressed Escape to disconnect the browser from the server. No | infinite download here. | numbsafari wrote: | Yeah, I just: | | 1) used the "copy image" function Safari on iOS. | | 2) took a screenshot. | | ... back to the drawing board NFT bros. | daedlanth wrote: | prtsc, dumbass. | brundolf wrote: | It worked fine on iOS (confirmed in my photo library) | pbobak wrote: | It downloaded on Safari on iOS. Long press on the image and tap | Add to photos. | robarr wrote: | Ditto | jb1991 wrote: | Same for me, but the webpage gave the impression that it was | still downloading, because after it download completely, at | least in firefox on iPhone, it's still showing that it was | downloading. | threatripper wrote: | I could copy the image from Firefox. Are you sure you | downloaded it instead of copying it? | ladino wrote: | iPhone Safari - Instant Download, no problem! | haunter wrote: | iPhone > long press > Add to photos | | What am I missing? | wsinks wrote: | I posted the same snarky comment too. Seems the headline should | be "You can't download this exact image, but you can copy the | presentation image via other means." | | More of a play on words for how copy and download often times | mean the same thing even though technically they're different. | grawprog wrote: | I had zero issues downloading the image with brave. Saves | normally like any other picture. | hollander wrote: | Rightclick and select "copy image". Why would you want this if | you can copy the image anyway? | 0xhh wrote: | I guess this is very similar to res.end() in nodejs servers | busymom0 wrote: | My usual way of downloading images is to click and drag the image | into my downloads folder on my Mac. Worked fine for me from | Safari. Am I missing something? | efortis wrote: | Load the website in Firefox with the Network Panel open, hit | "Escape", and right-click "lisa.jpg" -> "Save Image As" | synergyS wrote: | Hm opened chrome console and saved it from sources there, took 30 | secs :) | kuroguro wrote: | The problem with leaving connections open is that there's a limit | on how many you can have on the server... I think the author has | committed self-DoS :) | | https://en.wikipedia.org/wiki/Slowloris_(computer_security) | titaniczero wrote: | The website is down now lol | proyb2 wrote: | It should be ends with .offline | sildur wrote: | And now you can't download that image. | Rerarom wrote: | Yeah it's like a breeder reactor, it makes its own fuel. | tomxor wrote: | > The connection has timed out | | Now I _really_ can 't download the image | purplecats wrote: | He got you! | TheRealDunkirk wrote: | Great! Just what we need these days: more tricks to screw around | with the simple, straightforward implementation of the HTTP | protocol! And just in time for Christmas. | olliej wrote: | On webkit based browsers at least you can just drag the image | out, it doesn't bother trying to redownload it just reconstructs | the image file from memory, this also applies to copy/paste on | ios | aerovistae wrote: | I was about to "Save as..." when suddenly it struck me that this | would be an incredible bait to spread a virus. | soheil wrote: | An image virus? Please do elaborate. | lgats wrote: | using "filename" within the "Content-Disposition" header, you | could theoretically trick a user into downloading a non-image | file despite the url containing lisa.jpg | | I think certain browsers have security limits on the file- | extensions you download, which may include when image->"save | as" is used. | chunkyks wrote: | Don't forget that you can literally concatenate jpegs and | zipfiles [header at start of jpeg, but at end of zipfile], | so the valid jpeg can _also_ be a valid zipfile. | | Combine that with something like Safari's insistence at | automatically exploding zipfiles on download, and you got | yourself a party. | xdrosenheim wrote: | Firefox mobile did hang when trying to download, but after | pressing cancel the image was downloaded and viewable in my | gallery app. | kuu wrote: | Same here | [deleted] | alias-dev wrote: | This does create a self inflicted Slowloris attack on the server | hosting the image, so this site is probably more susceptible to | the hug of death than most | meow_mix wrote: | How to download this image: | | 1. Open Inspect (right click and hit "inspect") | | 2. Click the "Network" tab | | 3. Refresh the page (while clearing the cache Command+Shift+R) | | 4. Right click on "lisa.jpg" in the list view under the "Network" | tab | | 5. Click "Open in new tab" | | 6. Right click the image on the new tab | | 7. Click "Save image as" | | Man I can't believe these clowns (or myself for typing all this | out--don't know who is worse) | hoten wrote: | What actually works: take a snapshot of the element via the | Elements panel. | Mogzol wrote: | Did you even try this before posting? These steps are no | different than just right-clicking the image and choosing "Save | image as". It still results in a download that never finishes. | alpaca128 wrote: | _Inspect > Copy > Image Data-URL_ works perfectly fine in | Firefox. | scoopertrooper wrote: | Did you even read the page? There's no reason to think that | this approach would work. | ReleaseCandidat wrote: | Koan of the day: Can you download something that doesn't load? | causi wrote: | _When you usually try to download an image, your browser opens a | connection to the server and sends a GET request asking for the | image._ | | I'm not a web designer, but that seems rather ass-backwards. I'm | already looking at the image, therefore the image is already | residing either in my cache or in my RAM. Why it is downloaded a | second time instead of just being copied onto my drive? | oefrha wrote: | You can totally "download" the image in your RAM by right | clicking / long pressing -> "copy image" or equivalent in most | browsers. It's just not going to be a byte by byte identical | file, and may be in a different format, e.g. you get a | public.tiff on the clipboard when you copy an image from Chrome | or Safari on macOS, even if the source image is an | image/svg+xml. | Tuna-Fish wrote: | Oh no, it's still downloading the one it's displaying on | screen. You can even see a spinny thing as the icon of the tab | on Chrome. | | The format allows for showing images when they are partially | downloaded, and also allows pushing data that doesn't actually | change the image. | netizen-936824 wrote: | Okay? So we still seem to have an accurate representation of | the image we want. Why can't I just download that and what's | the point of the rest of the data. If we already are seeing | the image, the rest of the data is pointless no? | gipp wrote: | Certainly so, yes. But your browser doesn't know that. | chii wrote: | but the browser doesn't know that the image is already | done, and since there's still data coming in, the browser | is obliged to continue downloading. | | you could right click, and copy image, rather than save as. | It achieves what you wanted - save a copy of the image. | paavohtl wrote: | I don't know about browser internals, but I would guess that | the browser decodes the image once into a format that can be | shown on the page (so from PNG/JPG/WEBP into a RGBA buffer) and | then discards the original file. This saves a bit of memory in | 99.99% of cases when the image is not immediately saved | afterwards. | Aerroon wrote: | I'm pretty sure it only discards the original after x number | of other (new) images have been decoded. (Or perhaps it's | memory footprint based?) | | I ran into a Chrome performance bug years ago with | animations, because the animation had more frames than the | decoded cache size. _Everything_ ground to a halt on the | machine when it happened. Meanwhile older unoptimized | browsers ran it just fine. | mkl wrote: | More likely the original file is saved in the browser cache. | That's why it loads faster when you reload the page, and | slower when you do a full reload by holding down shift. In | Firefox you can see the files with about:cache, and find them | in ~/.cache/mozilla/firefox/e1wkkyx3.default/cache2/entries/ | or similar (they have weird names with no extension, but the | file command will identify them, in their original format). | In Chrome they're packed into files with metadata like the | URL at the start. You can extract the original file by | looking at a file in the cache folder [1] and snipping the | header off (you can guess where it is by looking at the file | contents with xxd or a hex editor). | | More info (and link to a Windows viewer tool) here: | https://stackoverflow.com/questions/6133490/how-can-i- | read-c... | | [1] For me on Linux, Chrome's is ~/.cache/google- | chrome/Default/Cache/ | ghusbands wrote: | One cool related thing is that (I believe) modern graphics | cards (even Intel) can store and use JPG blocks directly from | GPU memory, so it's not necessarily beneficial in the long | term to convert to RGBA in advance. Though I think no modern | browser actually does this, especially given how power-cheap | decoding jpeg (with SIMD) already is and how likely it is | that gpu bugs would interfere. | plekter wrote: | I don't think they can use jpg directly, that would be a | waste of transistors given that the graphics world use | other compression formats like etc1, bc, astc and so on. | | It is however perfectly possible to decode blocks of JPG on | a GPU by using shader code. | causi wrote: | Interesting if that is the explanation. I wonder if any | browsers offer a "privacy mode" where the original images are | saved, thereby preventing the server from knowing which | specific images you chose to save and were therefore | interested in. I wonder how often that information is logged, | and whether those logs, if they exist, have ever been put to | a purpose such as in a court case. | forgotmypw17 wrote: | This used to be common behavior, but changed over time in most | browsers. | | Your guess is as good as mine as to why. | masswerk wrote: | As far as I remember from a previous project from a few years | ago, the browser doesn't include a referrer for the download | request, which can be used for a distinction. (You'll have to | disable caching and E-Tags for this to work.) | | However, this is easily defeated by the use of the console: | Select the sources tab, locate the image and simply drag-and- | drop the image from there, which will use the local cache | instance for the source. Works also with this site, at least | with Safari. | Omin wrote: | > [...] which will use the local cache instance for the | source | | I don't understand why browsers aren't always doing this. | They already have the image, why redownload it? | stiray wrote: | I have problem understanding what problem is this solving? | | When the image is on my screen I can just screenshot it. | | This is a common problem, using something in insecure | environment, thats why companies are going into such extents to | encrypt movies on whole train from source to the display and | even those are regularly dumped. | dkersten wrote: | And even if they figured out some DRM method to prevent | screenshotting/screen recording, I can still point my phone | camera at my monitor and capture it that way, if I really | want to. There is always a way around whatever they try to | do. | | If I can see it, I can make a copy of it. | Aerroon wrote: | But because they try the rest of us suffer the consequences | of more expensive and slower hardware and all kinds of | other problems. | dkersten wrote: | Yes. DRM always hurts the legitimate users more than the | "pirates". Same with disabling right click or otherwise | trying to prevent downloading images. | cesarb wrote: | > I can still point my phone camera at my monitor and | capture it that way | | Back in the late 1990s/early 2000s (this was so long ago | that I cannot quickly find a reference), there were | proposals to require all non-professional audio and video | recorders to detect a watermark and disable recording when | one was found. Needless to say this was a terrible idea, | for several reasons. | gipp wrote: | It's not "solving" anything, just demonstrating an | interesting gimmick | spiderice wrote: | Definitely a gimmick. Interesting might be a bit of a | stretch | countmora wrote: | I chuckled about this. However you can drag and drop it to your | Desktop on macOS. | soheil wrote: | Works fine with _wget_ it just keeps hanging but if you CTRL+C it | and open the file it 'll look fine. | | The trick is to have nginx never timeout and just indefinitely | hang after the image is sent. The browser renders whatever image | data it has received as soon as possible even though the request | is never finished. However, when saving the image the browser | never finalizes writing to the temp file so it thinks there is | more data coming and never renames the temp file to the final | file name. | CyberShadow wrote: | The site does not send a Content-Type header for the main web | page, so I get a download dialog when trying to open it. | dibeneditto wrote: | In Chrome, Right-Click on Image - Inspect - Right-Click on <img | src="lisa.jpg" alt="Mona Lisa"> Tag - Capture node screenshot - | Save | mark_and_sweep wrote: | I would have expected this to do something different, like | rendering the image via WebGL (so it looks like an <img>, but | isn't easily downloadable). | neximo64 wrote: | If you wait long enough it downloads. | nicebill8 wrote: | Drag and drop to Desktop on macOS works too. | barelysapient wrote: | Downloaded on my iPhone with a single tap. | singularity2001 wrote: | Downloaded on my mac with two clicks (FF): open in new tab, | download | busymom0 wrote: | Worked on Safari (Mac) too by dragging and dropping into my | downloads. | earth2mars wrote: | On Google Pixel there is a new feature where I can go to the | recent app screen and it defects images to click on them to do | Google lense or save images or share image. I was able to save | the image of size 506kb with 841x1252 1.1MP pic. | zeeshanejaz wrote: | `prt sc` anyone? | donkarma wrote: | 99% sure it said download, not screenshot | quickthrower2 wrote: | You can on iOS safari. No hacks/workarounds | sam1r wrote: | You can't download the code on github either. | | Because github is currently down. | jcun4128 wrote: | rare occurrence I imagine but good check to not have everything | in one place | marcelotournier wrote: | iOS Safari saved the image in my photos, as any regular picture | that I do a long tap on. | wsinks wrote: | On iOS, long press > add to photos | | I now have a photo of the Mona Lisa in my camera roll. | | I guess this is one of those things that wouldn't be as edgy with | the actual mechanism stated. :) | progman32 wrote: | This is a perfect (if maybe unintentional) example of how to get | help from otherwise disinterested technical folk: Make an | obviously technically-incorrect claim as fact, and watch as an | entire army comes out of the woodwork giving you technical | evaluations :) | manbart wrote: | I'm aware of this phenomenon, but have never tested it | (confidently posting something incorrect to get responses with | the real answer). Has anyone here actually tried this? How did | it work? | [deleted] | spondyl wrote: | Anthony Bourdain used to find the best local cuisine by going | onto message boards (anonymously I assume) and saying X is | the best restaurant, only to receive a flood of | recommendations | | https://archive.md/0UQsd: Ctrl + F for "nerd fury" to find | where the claim starts | userbinator wrote: | People hate DRM. Thus everyone will work their hardest to | bypass it. | Andrew_nenakhov wrote: | Cunningham's Law [1]: "the best way to get the right answer on | the internet is not to ask a question; it's to post the wrong | answer". | | [1]: https://meta.m.wikimedia.org/wiki/Cunningham%27s_Law | codesections wrote: | Though note that Cunningham disavows the law attributed to | him: | | > Cunningham himself denies ownership of the law, calling it | a "misquote that disproves itself by propagating through the | internet." | | https://en.m.wikipedia.org/wiki/Ward_Cunningham | Andrew_nenakhov wrote: | His opinion on this matter is not of any importance, as | confirmed by a great many people who have found an unlikely | fame. Just ask mrs. Streisand. | can16358p wrote: | I just simply long tapped on the image and tapped save to photos | on my iPhone and it was saved. | Hard_Space wrote: | You really can't - the HN hug of death has killed it! | jancsika wrote: | Graceful nongradation | teitoklien wrote: | The image was dead in the first place, hence it cannot be | downloaded or opened. | | That's the joke, i guess. | smolder wrote: | No, they DoS'd themselves with their "viewable but not save- | as-able" technique. Leaving connections open will do that. | The image is visible right now but the browser can't save | what appears to be an incomplete file. | html5web wrote: | Downloaded on iPhone | boublepop wrote: | Yes I could. No issues. Save to photos on iPhone. | tschesnok wrote: | No one seems to mention that Chrome keeps spinning on the HTML | load as well and eventually kills the image. This means the | webpage itself is broken and fails to work. Not just the | download. Soo.. this just does not work for anything.. | T0Bi wrote: | It's definitely hard to download an image that doesn't load. :( | growt wrote: | Went to the download folder, renamed lisa.jpg.crdownload to | lisa.jpg. Cancelled the download in the browser. | dvh wrote: | If I wanted a non-downloadable image I would make it from 1px | wide/tall colored divs. | MildlySerious wrote: | Pretty sure that was actually used in emails at some point, | just with tables, to get around email clients not loading | images. | Karellen wrote: | Email clients generally don't load external images. The | majority should still display images that are sent as part of | a multipart/mixed message though, and those should take up | significantly less space than thousands of divs/tds and color | attributes. | dorkwood wrote: | I thought this is what it was going to be! Another method would | be to generate a plane with the same number of vertices as | pixels, store the pixel color values as an attribute, and then | render the mesh to a canvas. | dvh wrote: | You can right-click canvas and save it as image. | dorkwood wrote: | Oh, you're right! I guess you'd have to disable the context | menu too. | alpaca128 wrote: | Which doesn't help either because in the Inspect view you | can just click "Screenshot node" on the HTML element. | masswerk wrote: | I actually used this to generate graphs in JS/HTML in the | 1990s. :-) | can16358p wrote: | Out of curiosity, how was the performance (of course | normalized to performance of that era)? | masswerk wrote: | Here's a somewhat older approach splitting charts into | linear runs of 1x1 images, which has some statistics at the | bottom of each chart: | | https://www.masswerk.at/demospace/relayWeb_en/chartset.htm | | (Or see | https://www.masswerk.at/demospace/relayWeb_en/welcome.htm | and select "charts". Total time for calculations and | rendering was then in the about 1 sec range. The real | problem for using this in production was that these charts | could be printed on Windows with Postscript printers only. | I think, this was eventually fixed in Windows 98 SE.) | stevespang wrote: | I just saved the image on full with no green - hah. No problem. | [deleted] | zImPatrick wrote: | copy the not finished download file in your downloads folder (for | me lisa.jpg.crdownload) and name it lisa.jpg | unfocused wrote: | Just wrote the same. Didn't see your comment early. So really, | you can absolutely download this image! | dillondoyle wrote: | Another idea is canvas: https://jsfiddle.net/dvg45pcz/ | | But I don't know how to get it to not appear in network sources. | | Or wasm but I don't know how to write that. | brodock wrote: | You could likely pack.and unpack from websockets... | cmaggiulli wrote: | Does WebRTC show in the network console? ___________________________________________________________________ (page generated 2021-11-27 23:00 UTC)