Inline linking

Last updated January 25, 2024

Inline linking (also known as hotlinking, leeching, piggy-backing, direct linking, offsite image grabs) is the use of a linked object, often an image, on one site by a web page belonging to a second site. One site is said to have an inline link to the other site where the object is located.

Inline linking and HTTP

The technology behind the World Wide Web, the Hypertext Transfer Protocol (HTTP), does not make any distinction of types of links—all links are functionally equal. Resources may be located on any server at any location.

When a website is visited, the browser first downloads the textual content in the form of an HTML document. The downloaded HTML document may call for other HTML files, images, scripts and/or stylesheet files to be processed. These files may contain <img> tags which supply the URLs which allow images to display on the page. The HTML code generally does not specify a server, meaning that the web browser should use the same server as the parent code (<img src="picture.jpg" />). It also permits absolute URLs that refer to images hosted on other servers (<img src="http://www.example.com/picture.jpg" />).

When a browser downloads an HTML page containing such an image, the browser will contact the remote server to request the image content.

Common uses of linked content

The ability to display content from one site within another is part of the original design of the Web's hypertext medium. Common uses include:

It is copyright infringement to make copies of a work for which the person making copies has no license, but there is no infringement when the re-user provides a simple text link within an HTML document that points to the location of the original image or file (simply called a "link").^[1]
Web architects may deliberately segregate the images of a site on one server or a group of servers. Hosting images on separate servers allows the site to divide the bandwidth requirements between servers. As an example, the high-volume site Slashdot stores its "front page" at slashdot.org, individual stories on servers such as games.slashdot.org or it.slashdot.org, and serves images for each host from images.slashdot.org.
An article on one site may choose to refer to copyrighted images or content on another site via inline linking, which may avoid rights and ownership issues that copying the original files could raise. However, this practice is generally discouraged due to resulting bandwidth loading of the source, and the source provider is often offended because the viewer is not seeing the whole original page, which provides the intended context of the image.
Many web pages include banner ads. Banner ads are images hosted by a company that acts as middleman between the advertisers and the websites on which the ads appear. The <img> tag may specify a URL to a CGI script on the ad server, including a string uniquely identifying the site producing the traffic, and possibly other information about the person viewing the ad, previously collected and associated with a cookie. The CGI script determines which image to send in response to the request.
Some websites hotlink from a faster server to increase client loading speed.
Hit counters or Web counters show how many times a page has been loaded. Several companies provide hit counters that are maintained off site and displayed with an inline link.

Controversial uses of inline linking

The blurring of boundaries between sites can lead to other problems when the site violates users' expectations. Other times, inline linking can be done for malicious purposes.

Content sites where the object is stored and from which it is retrieved may not like the new placement.
Inline linking to an image stored on another site increases the bandwidth use of that site even though the site is not being viewed as intended. The complaint may be the loss of ad revenue or changing the perceived meaning through an unapproved context.
Cross-site scripting and phishing attacks may include inline links to a legitimate site to gain the confidence of a victim.
Pay-per-content services may attempt to restrict access to their content through complex scripting and inline linking techniques.
Inline objects can be used to perform drive-by attacks on the client, exploiting faults in the code that interprets the objects. When an object is stored on an external server, the referring site has no control over if and when an originally beneficial object's content is replaced by malicious content.
The requests for inline objects usually contain the referrer information. This leaks information about the browsed pages to the servers hosting the objects (see web visitor tracking).

Prevention

Client side

Most web browsers will blindly follow the URL for inline links, even though it is a frequent security complaint.^[2] Embedded images may be used as a web bug to track users or to relay information to a third party. Many ad filtering browser tools will restrict this behavior to varying degrees.

Server side

Some servers are programmed to use the HTTP referer header to detect hotlinking and return a condemnatory message, commonly in the same format, in place of the expected image or media clip. Most servers can be configured to partially protect hosted media from inline linking, usually by not serving the media or by serving a different file.^[3]^[4]

URL rewriting is often used (e.g., mod_rewrite with Apache HTTP Server) to reject or redirect attempted hotlinks to images and media to an alternative resource. Most types of electronic media can be redirected this way, including video files, music files, and animations (such as Flash).

Other solutions usually combine URL rewriting with some custom complex server side scripting to allow hotlinking for a short time, or in more complex setups, to allow the hotlinking but return an alternative image with reduced quality and size and thus reduce the bandwidth load when requested from a remote server. All hotlink prevention measures risk deteriorating the user experience on the third-party website.^[5]

Copyright issues raised by inline linking

The most significant legal fact about inline linking, relative to copyright law considerations, is that the inline linker does not place a copy of the image file on its own Internet server. Rather, the inline linker places a pointer on its Internet server that points to the server on which the proprietor of the image has placed the image file. This pointer causes a user's browser to jump to the proprietor's server and fetch the image file to the user's computer. US courts have considered this a decisive fact in copyright analysis. Thus, in Perfect 10, Inc. v. Amazon.com, Inc. ,^[6] the United States Court of Appeals for the Ninth Circuit explained why inline linking did not violate US copyright law:

Google does not...display a copy of full-size infringing photographic images for purposes of the Copyright Act when Google frames in-line linked images that appear on a user’s computer screen. Because Google’s computers do not store the photographic images, Google does not have a copy of the images for purposes of the Copyright Act. In other words, Google does not have any “material objects...in which a work is fixed...and from which the work can be perceived, reproduced, or otherwise communicated” and thus cannot communicate a copy. Instead of communicating a copy of the image, Google provides HTML instructions that direct a user’s browser to a website publisher’s computer that stores the full-size photographic image. Providing these HTML instructions is not equivalent to showing a copy. First, the HTML instructions are lines of text, not a photographic image. Second, HTML instructions do not themselves cause infringing images to appear on the user’s computer screen. The HTML merely gives the address of the image to the user’s browser. The browser then interacts with the computer that stores the infringing image. It is this interaction that causes an infringing image to appear on the user’s computer screen. Google may facilitate the user’s access to infringing images. However, such assistance raised only contributory liability issues and does not constitute direct infringement of the copyright owner’s display rights. ...While in-line linking and framing may cause some computer users to believe they are viewing a single Google webpage, the Copyright Act...does not protect a copyright holder against [such] acts....

Related Research Articles

In computer science, transclusion is the inclusion of part or all of an electronic document into one or more other documents by reference via hypertext. Transclusion is usually performed when the referencing document is displayed, and is normally automatic and transparent to the end user. The result of transclusion is a single integrated document made of parts assembled dynamically from separate sources, possibly stored on different computers in disparate places.

<span class="mw-page-title-main">World Wide Web</span> Linked hypertext system on the Internet

The World Wide Web is an information system that enables content sharing over the Internet through user-friendly ways meant to appeal to users beyond IT specialists and hobbyists. It allows documents and other web resources to be accessed over the Internet according to specific rules of the Hypertext Transfer Protocol (HTTP).

In computing, a hyperlink, or simply a link, is a digital reference to data that the user can follow or be guided to by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text with hyperlinks. The text that is linked from is known as anchor text. A software system that is used for viewing and creating hypertext is a hypertext system, and to create a hyperlink is to hyperlink. A user following hyperlinks is said to navigate or browse the hypertext.

In HTML and XHTML, an image map is a list of coordinates relating to a specific image, created in order to hyperlink areas of the image to different destinations. For example, a map of the world may have each country hyperlinked to further information about that country. The intention of an image map is to provide an easy way of linking various parts of an image without dividing the image into separate image files.

In the context of the World Wide Web, deep linking is the use of a hyperlink that links to a specific, generally searchable or indexed, piece of web content on a website, rather than the website's home page. The URL contains all the information needed to point to a particular item. Deep linking is different from mobile deep linking, which refers to directly linking to in-app content using a non-HTTP URI.

An HTML element is a type of HTML document component, one of several types of HTML nodes. The first used version of HTML was written by Tim Berners-Lee in 1993 and there have since been many versions of HTML. The current de facto standard is governed by the industry group WHATWG and is known as the HTML Living Standard.

In computer networks, download means to receive data from a remote system, typically a server such as a web server, an FTP server, an email server, or other similar systems. This contrasts with uploading, where data is sent to a remote server.

Fusker is a type of website or utility that extracts images in bulk from a website by systematically loading and downloading images following a pattern in the website's URL scheme. Fusking or fuskering is often used to extract private and nude photos without consent of the owner.

In the context of a web browser, a frame is a part of a web page or browser window which displays content independent of its container, with the ability to load content independently. The HTML or media elements in a frame may come from a web site distinct from the site providing the enclosing content. This practice, known as framing, is today often regarded as a violation of same-origin policy.

Link prefetching allows web browsers to pre-load resources. This speeds up both the loading and rendering of web pages. Prefetching was first introduced in HTML5.

A dynamic web page is a web page constructed at runtime, as opposed to a static web page, delivered as it is stored. A server-side dynamic web page is a web page whose construction is controlled by an application server processing server-side scripts. In server-side scripting, parameters determine how the assembly of every new web page proceeds, and including the setting up of more client-side processing. A client-side dynamic web page processes the web page using JavaScript running in the browser as it loads. JavaScript can interact with the page via Document Object Model (DOM), to query page state and modify it. Even though a web page can be dynamic on the client-side, it can still be hosted on a static hosting service such as GitHub Pages or Amazon S3 as long as there is not any server-side code included.

A web accelerator is a proxy server that reduces website access time. They can be a self-contained hardware appliance or installable software.

An image hosting service allows individuals to upload images to an Internet website. The image host will then store the image onto its server, and show the individual different types of code to allow others to view that image. Some examples are Flickr, Imgur, and Photobucket.

In HTTP, "Referer" is an optional HTTP header field that identifies the address of the web page, from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.

Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 was a case in the United States Court of Appeals for the Ninth Circuit involving a copyright infringement claim against Amazon.com, Inc. and Google, Inc., by the magazine publisher Perfect 10, Inc. The court held that framing and hyperlinking of original images for use in an image search engine constituted a fair use of Perfect 10's images because the use was highly transformative, and thus not an infringement of the magazine's copyright ownership of the original images.

In copyright law, the legal status of hyperlinking and that of framing concern how courts address two different but related Web technologies. In large part, the legal issues concern use of these technologies to create or facilitate public access to proprietary media content — such as portions of commercial websites. When hyperlinking and framing have the effect of distributing, and creating routes for the distribution of content (information) that does not come from the proprietors of the Web pages affected by these practices, the proprietors often seek the aid of courts to suppress the conduct, particularly when the effect of the conduct is to disrupt or circumvent the proprietors' mechanisms for receiving financial compensation.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Agora was a World Wide Web email browser and was a proof of concept to help people to use the full internet. Agora was an email-based web browser designed for non-graphic terminals and to help people without full access to the internet such as in developing countries or without a permanent internet connection. Similar to W3Gate, Agora was a server application designed to fetch HTML documents through e-mail rather than http.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

A web beacon is a technique used on web pages and email to unobtrusively allow checking that a user has accessed some content. Web beacons are typically used by third parties to monitor the activity of users at a website for the purpose of web analytics or page tagging. They can also be used for email tracking. When implemented using JavaScript, they may be called JavaScript tags.

References

↑ Mike Masnick (6 January 2010). "Is Inline Linking To An Image Copyright Infringement?". Techdirt. Retrieved 2014-02-15.
↑ Thomas C Greene (2007-02-20). "Vista Security Oversold". theregister.co.uk. Retrieved 2007-11-16.
↑ Ross Shannon (2007-02-26). "Bandwidth Theft". yourhtmlsource.com. Retrieved 2007-11-16. Some webmasters will try to directly link to your images from their pages. Luckily, a simple configuration change provides the necessary fix.
↑ Thomas Scott (2004-07-13). "Smarter Image Hotlinking Prevention". alistapart.com. Retrieved 2007-11-16.
↑ Aleksandersen, Daniel. "Image quality degradation as a hotlink prevention measure and deterrent". Slight Future. Retrieved 1 September 2016.
↑ 487 F.3d 701 (9th Cir. 2007).

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Mike Masnick (6 January 2010). "Is Inline Linking To An Image Copyright Infringement?". Techdirt. Retrieved 2014-02-15.

[2] Thomas C Greene (2007-02-20). "Vista Security Oversold". theregister.co.uk. Retrieved 2007-11-16.

[3] Ross Shannon (2007-02-26). "Bandwidth Theft". yourhtmlsource.com. Retrieved 2007-11-16. Some webmasters will try to directly link to your images from their pages. Luckily, a simple configuration change provides the necessary fix.

[4] Thomas Scott (2004-07-13). "Smarter Image Hotlinking Prevention". alistapart.com. Retrieved 2007-11-16.

[5] Aleksandersen, Daniel. "Image quality degradation as a hotlink prevention measure and deterrent". Slight Future. Retrieved 1 September 2016.

[6] 487 F.3d 701 (9th Cir. 2007).

[1]

[2]

[3]

[4]

[5]

[6]