cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Direct link for file download

Direct link for file download

Ashu7878
Explorer | Level 3

Hello All,

I am new here and new to Dropbox integration. In my application we use chooser to select the files from end-user's dropbox account. When the user selects a file, the response contains a download url which is something like this - https://dl.dropboxusercontent.com/1/view/uziu191sh0ilvkq/Get%20Started%20with%20Dropbox.pdf

Now my problem is that, if this request is intercepted by someone and they change this url, it lets user to upload the the file from other source. This is wrong behaviour. I want to restrict user to upload files only from Dropbox. So wanted to know if the domain name used in above example ("dl.dropboxusercontent.com") will always be same irrespective of end-user's country. If this domain is same we can match this as a pattern in backend and discard all other requests. 

Has anyone faced this kind of problem before and any help on how to solve it would be helpful. 

Thank you in advance.  

8 Replies 8

Jane
Dropbox Staff
Hey @Ashu7878, welcome aboard! 
 
Following-up from what you’re describing us, I’m wondering whether your inquiry pertains to how you could integrate Dropbox with an app you’re developing or you’re referring to a specific integration that you’ve incorporated in your workflow. 
 
Would you mind clarifying this point for me, as this would lead us to the best next steps? 
 
Thanks in advance!

 


Jane
Community Moderator @ Dropbox
dropbox.com/support

 

Heart Did this post help you? If so please give it a Like below. 
:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.
:arrows_counterclockwise: Still stuck? Ask me a question! (
Questions asked in the community will likely receive an answer within 4 hours!)

Ashu7878
Explorer | Level 3

Hi Jane, 

Sorry for the confusion. I am referring to a specific dropbox integration that I have incorporated in the workflow. 

 

Jane
Dropbox Staff
Thank for clarifying @Ashu7878
 
As you mentioned that you’re using an existing integration with Dropbox, I’d appreciate it if you could specify which one it is in your next message. Are you using File Requests to collect the files by any chance? If so, then anyone with the link should be able to upload, however you can close it at any time when you'd like to stop receiving files. 
 
Incidentally, have you by any chance run into this issue? If that’s happened, I’d like to replicate & see if I’m getting the same results on my end, so it would be very helpful if you described me what’s led you to this in as much detail as possible. 
 
I look forward to hearing back from you!

 


Jane
Community Moderator @ Dropbox
dropbox.com/support

 

Heart Did this post help you? If so please give it a Like below. 
:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.
:arrows_counterclockwise: Still stuck? Ask me a question! (
Questions asked in the community will likely receive an answer within 4 hours!)

Ashu7878
Explorer | Level 3

Hi Jane, 

I am not using the File Requests integration. The integration is to download the files from Dropbox account. I am not sure what is the name of the integration as this is legacy code but we allow user to login to his dropbox account and select a file that he wishes to upload to our his account for our application. Once he selects a file from his dropbox account, I get direct download URL like this - https://dl.dropboxusercontent.com/1/view/uziu191sh0ilvkq/Get%20Started%20with%20Dropbox.pdf using which I download the file contents and upload to user's account. 

Please let me know if you have a support group alias where I can create a query for the issue we are facing. Our application has buisness integration with DropBox.

Thanks,

Aasawari

Rich
Super User II

@Jane, the integration that Ashu is referring to is Chooser.

@Ashu7878, you probably want to post this in the Developer section of the forums.

I'll move the thread over there.

Greg-DB
Dropbox Staff

@Ashu7878 Right now, the direct links returned by the Dropbox Chooser are always on dl.dropboxusercontent.com, but that isn't officially documented or guaranteed, so I can't promise that won't change. 

I'll pass this along as a request to officially document/guarantee that, but I can't say if or when that might be done.

Ashu7878
Explorer | Level 3

Hi Greg, 

The direct link domain is going to be same (which is dl.dropboxusercontent.com) for all the countries from where user accesses dropbox account or it will change? What I mean is if user accesses it from uk will it change to something like this - dl.dropboxusercontent.co.uk ? We have user's across globe who will be accessing this.

Also the problem I am trying to solve here is not about the domain name but more of how to verify that source of direct link is from DropBox in the request. If a malicious user intercepts the request and modifies the direct link in the request, a different file will be uploaded. 

I would love to know how some of other people here who use DropBox chooser have solved this kind of problem.

Greg-DB
Dropbox Staff

@Ashu7878 The domain is the same for all users from all countries. I just can't promise that it won't change in the future.

In general though, there isn't a way to verify the source of the link since it is shared locally in JavaScript in the client, and the client can't be trusted (since it is under the control of the user, who may or may not be malicious). If you have any general web security questions, I recommend reaching out to a security professional. 

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Ashu7878 Explorer | Level 3
  • User avatar
    Rich Super User II
What do Dropbox user levels mean?