电子邮件缩略图 URL 在 Gmail 中更改为 googleusercontent.com [英] Email thumbnail URL changed to googleusercontent.com in gmail
问题描述
我有一个系统,每当用户上传图片时,它都会向注册用户的 gmail 发送一封电子邮件.但是在电子邮件中,我看到类似这样的内容,缩略图不可见.
我检查了元素,发现了链接到这个 url 的 src:<代码> https://ci5.googleusercontent.com/proxy/VI2cPXWhfKZEIarh-iyKNz1j9q7Ymh8ty4Yz19lXh82RjSlACBzS0aRajfIj913uXAsX2ylcLEDs5FBsj4cR9TcU75Pw5djdHx4htxdCAQxs_ue1Q1wi5TV43uLLBpigpjH1xN747mUHSRdTBJmXQWFyykInJCRXicM1KhNk=s0-d-e1-ft#https://www.somedomain.com/files/1658/thumbnail_71JtDozxS1L._SY450_.jpg
显然它被谷歌代理缓存
但是我可以通过访问 https://www.somedomain.com/files/1658/thumbnail_71JtDozxS1L._SY450_.jpg 来查看没有 google 用户内容的图像(我屏蔽了域,因此图像您可能无法使用).
我尝试清除浏览器缓存,但问题仍然存在.我如何绕过 googleusercontent 或至少使缩略图能够显示.
我在此链接上结帐Gmail 未显示图像但我没有使用本地主机并且图像本身可以在我的本地网络之外访问.
Google Image Proxy 如何工作
Google Image Proxy 是一个缓存代理服务器.每次在电子邮件中包含图像链接时,请求都会首先转到 Google 图像代理以查看它是否已缓存,如果已缓存,则应从代理提供它,否则它将获取它并在此之后将其缓存.
大多数问题的解决方案
如果出现以下图像,Google 图像代理服务器将获取您的图像:
- 只有像
.png、.jpg/.jpeg或.gif这样的扩展名.也可能是.webp.但不是.svg. - 不要在图像 URL 中使用任何类型的查询字符串部分,例如
?id=123 - 有一个直接映射到图像上的 URL.
- 名字不长.
图片服务器要求:
- 来自图像服务器/代理服务器的响应必须包含正确的标头,例如
Content-Type: image/jpeg. - 文件扩展名和
content-type标题必须是同一类型. - 服务器响应中的状态代码必须是 200,而不是 403、500 等.
什么也有帮助?
<块引用>设置图片 URL 代理白名单
当您的用户打开电子邮件时,Gmail 使用 Google 的安全代理服务器来提供可能包含在这些消息中的图像.这保护您的用户和域免受基于图像的安全漏洞.
由于图片代理,链接到依赖的图片内部 IP 和有时 cookie 被破坏.图片 URL 代理白名单设置可让您通过创建图像来避免断开的图像链接并维护将绕过代理的内部 URL 白名单保护.
配置图片网址代理白名单时,可以指定一个一组域和一个路径前缀,可用于指定大URL 组.有关示例,请参阅以下指南.
配置图片 URL 代理白名单设置:
- 登录到您的Google 管理控制台.使用您的管理员帐户登录(不以@gmail.com结尾).
- 从管理控制台首页,转到
应用>G Suite>Gmail>高级设置.提示:要查看高级设置,滚动到 Gmail 页面的底部. - 在左侧,选择您的顶级组织.
- 滚动到图片网址代理白名单部分.
- 输入图像 URL 代理白名单模式.匹配的 URL 将绕过图像代理保护.请参阅以下指南了解更多详情和说明.
- 点击底部的保存.
更改可能需要长达一个小时才能传播到用户帐户.您可以在管理控制台审核日志下跟踪之前的更改.
应用图像 URL 代理白名单设置的指南
安全注意事项
在配置图像 URL 代理之前咨询您的安全团队白名单设置.绕过图像代理白名单的决定如果不这样做,保护可能会使您的用户和域面临安全风险小心使用.
一般来说,如果您的域需要通过 cookie 进行身份验证,如果该域由您内部的管理员控制组织并且完全受信任,然后将该 URL 列入白名单不应让您的域遭受基于图像的攻击.</p>
重要提示:不建议禁用图像代理.此选项可用于为管理员提供灵活性,但禁用图像代理会使您的用户容易受到恶意攻击攻击.
输入图片网址格式
维护可绕过代理的内部 URL 白名单保护,在图像 URL 代理中输入图像 URL 模式白名单设置.匹配的 URL 将绕过图像代理.
模式可以包含方案、域和路径.图案域和域之间必须始终存在正斜杠 (/)小路.如果 URL 模式指定了一个方案,则该方案和域必须完全匹配.否则,域可以部分匹配网址后缀.例如,模式 google.com 匹配www.google.com,但不是 gle.com.URL 模式可以指定一个与路径前缀匹配的路径.
重要提示:在输入图片网址格式时输入您的实际域名.始终在末尾包含一个正斜杠 (/)域名.
图片网址格式示例
以下模式仅为示例.以下模式:
http://rule_fixed_scheme_domain.com/rule_flex_scheme_domain.com/rule_fixed_subpath.com/cgi-bin/... 将匹配以下网址:
http://rule_fixed_scheme_domain.com/http://rule_fixed_scheme_domain.com/test.jpg?foo=bar#fraghttp://rule_fixed_scheme_domain.comrule_flex_scheme_domain.com/t.rule_flex_scheme_domain.com/test.jpghttp://t.rule_flex_scheme_domain.com/test.jpghttps://t.rule_flex_scheme_domain.com/test.jpghttp://rule_fixed_subpath.com/cgi-bin/http://rule_fixed_subpath.com/cgi-bin/people注意: URL 方案 (http://) 是可选的.如果方案被省略,模式可以匹配任何方案,并允许部分匹配在域后缀上.
预览图片网址格式
点击预览以查看网址是否与图片网址格式匹配你已经设置了.如果图像 URL 与模式匹配,您将看到确认消息.如果图片 URL 不匹配,则报错出现消息.
I have a system whenever user upload an image, it will send an email to the registered user's gmail. But in the email, i see something like this, the thumbnail is not viewable.
I inspect on the element, and found the src linked to this url:
https://ci5.googleusercontent.com/proxy/VI2cPXWhfKZEIarh-iyKNz1j9q7Ymh8ty4Yz19lXh82RjSlACBzS0aRajfIj913uXAsX2ylcLEDs5FBsj4cR9TcU75Pw5djdHx4htxdCAQxs_ue1Q1wi5TV43uLLBpigpjH1xN747mUHSRdTBJmXQWFyykInJCRXicM1KhNk=s0-d-e1-ft#https://www.somedomain.com/files/1658/thumbnail_71JtDozxS1L._SY450_.jpg
Obviously it is being cached by google proxy
But i can view the image without google user content, by accessing https://www.somedomain.com/files/1658/thumbnail_71JtDozxS1L._SY450_.jpg (i masked the domain so the image might not available to you).
I tried to clear browser cache but the problem still persist. How can i bypass the googleusercontent thingy or at least make the thumbnail able to display.
I checkout on this link Images not displayed for Gmail but im not using localhost and the image itself is accessible outside of my local network.
How does Google Image Proxy work
The Google Image Proxy is a caching proxy server. Every time an image link is included in email the request will go to the Google Image Proxy first to see if it has been cached, if so it should serve it up from the proxy or it will go fetch it and cache it there after.
The solution for most issues
The Google Image Proxy server will fetch your images if this images:
- have extensions like
.png,.jpg/.jpegor.gifonly. May be.webptoo. But not.svg. - do not use any kind of query string part in the image URL like
?id=123 - have an URL which is mapped onto the image directly.
- have not a long name.
Requirements for image server:
- The response from image server/proxy server must include the correct header like
Content-Type: image/jpeg. - File extension and
content-typeheader must be in the same type. - Status code in server response must be 200 instead of 403, 500 and etc.
What could help too?
Set up an image URL proxy whitelist
When your users open email messages, Gmail uses Google’s secure proxy servers to serve images that might be included in these messages. This protects your users and domain against image-based security vulnerabilities.
Because of the image proxy, links to images that are dependent on internal IPs and sometimes cookies are broken. The Image URL proxy whitelist setting lets you avoid broken links to images by creating and maintaining a whitelist of internal URLs that'll bypass proxy protection.
When you configure the Image URL proxy whitelist, you can specify a set of domains and a path prefix that can be used to specify large groups of URLs. See the guidelines below for examples.
Configure the Image URL proxy whitelist setting:
- Sign in to your Google Admin console. Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Home page, go to
Apps>G Suite>Gmail>Advanced settings. Tip: To see Advanced settings, scroll to the bottom of the Gmail page.- On the left, select your top-level organization.
- Scroll to the Image URL proxy whitelist section.
- Enter image URL proxy whitelist patterns. Matching URLs will bypass image proxy protection. See the guidelines below for more details and instructions.
- At the bottom, click Save.
It can take up to an hour for changes to propagate to user accounts. You can track prior changes under Admin console audit log.
Guidelines for applying the Image URL proxy whitelist setting
Security considerations
Consult with your security team before configuring the Image URL proxy whitelist setting. The decision to bypass image proxy whitelist protection can expose your users and domain to security risks if not used with care.
In general, if you have a domain that needs authentication via cookie, and if that domain is controlled by an administrator within your organization and is completely trusted, then whitelisting that URL should not expose your domain to image-based attacks.
Important: Disabling the image proxy is not recommended. This option is available to provide flexibility for administrators, but disabling the image proxy can leave your users vulnerable to malicious attacks.
Entering Image URL patterns
To maintain a whitelist of internal URLs that'll bypass proxy protection, enter the image URL patterns in the Image URL proxy whitelist setting. Matching URLs will bypass the image proxy.
A pattern can contain the scheme, the domain, and a path. The pattern must always have a forward slash (
/) present between the domain and path. If the URL pattern specifies a scheme, then the scheme and the domain must fully match. Otherwise, the domain can partially match the URL suffix. For example, the patterngoogle.commatcheswww.google.com, but notgle.com. The URL pattern can specify a path that's matched against the path prefix.Important: Enter your actual domain name as you enter the image URL pattern. Always include a trailing forward slash (
/) after the domain name.Examples of Image URL patterns
The following patterns are examples only. The following patterns:
http://rule_fixed_scheme_domain.com/ rule_flex_scheme_domain.com/ rule_fixed_subpath.com/cgi-bin/... will match the following URLs:
http://rule_fixed_scheme_domain.com/ http://rule_fixed_scheme_domain.com/test.jpg?foo=bar#frag http://rule_fixed_scheme_domain.com rule_flex_scheme_domain.com/ t.rule_flex_scheme_domain.com/test.jpg http://t.rule_flex_scheme_domain.com/test.jpg https://t.rule_flex_scheme_domain.com/test.jpg http://rule_fixed_subpath.com/cgi-bin/ http://rule_fixed_subpath.com/cgi-bin/peopleNote: The URL scheme (
http://) is optional. If the scheme is omitted, the pattern can match any scheme, and allows partial matches on the domain suffix.Previewing the image URL patterns
Click Preview to see if the URLs match the image URL patterns you've set. If the image URL matches a pattern, you'll see a confirmation message. If the image URL does not match, an error message appears.
这篇关于电子邮件缩略图 URL 在 Gmail 中更改为 googleusercontent.com的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
