cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Chooser and security

Chooser and security

sanjayssk
Helpful | Level 6
Go to solution

I'm a beginner but am now using the Chooser API successfully from a Web app. But I'm concerned about the security of the link obtained. Your description of the returned link is too short and doesn't say anything about security. It says 2 types of links are returned, first is shared and the second is a download, valid for 4 hours. Does it mean, these links then become open to all who get their address? As a user of the web app I would assume that when I opens a file to process in my web app, it's available only to the Web App and to no one else except to myself via regular dropbox access from other sources. Please clarify the security risk of the file chosen so that I can make a decision whether it's safe to use for the users of my web app.

 

Thanks.

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution
Yes, the shared links returned by the Chooser are the same kind of shared link as used by the general shared link feature in Dropbox:

https://www.dropbox.com/help/files-folders/view-only-access

That allows anyone with the link to access the shared content. Users can always revoke these shared links from the web site:

https://www.dropbox.com/share/links

Hope this helps!

View solution in original post

3 Replies 3

Greg-DB
Dropbox Staff
Go to solution
Yes, the shared links returned by the Chooser are the same kind of shared link as used by the general shared link feature in Dropbox:

https://www.dropbox.com/help/files-folders/view-only-access

That allows anyone with the link to access the shared content. Users can always revoke these shared links from the web site:

https://www.dropbox.com/share/links

Hope this helps!

sanjayssk
Helpful | Level 6
Go to solution

Hi Greg,

 

Thanks for replying promptly. 

 

A few related questions:

1) I thought specifying the Chooser/Saver domain for the App Settings will only make the file available to that domain. Is that true at least for the second type of "download" URL that expires in 4 hours? Or is that also available from anywhere for download?

 

2) BUG: Also when I click on the Links (www.dropbox.com/share/links) to see what links are now exposed, it's just stuck on wait cursor for a long time, over 15 minutes now. Seems like a bug.

 

I think when Web Apps use this feature, they are exposing a security risk for the end user where the user is unaware that private files may be exposed via links. At least the chooser dialog should give a prominent warning.

 

 

 

Thanks.

 

Greg-DB
Dropbox Staff
Go to solution
1) No, the Chooser/Saver domains specify which domains can use your app key for the Chooser/Saver. That does not affect the resulting links.

2) That sounds like an issue with the web site. Please open a ticket here for help with that:

https://www.dropbox.com/support

And thanks for the feedback!
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    sanjayssk Helpful | Level 6
What do Dropbox user levels mean?