>Unlike GitHub, most of them don't even bother proxying the image to hide IP, referrer, and browser agent. If you want to allow external images on your site, you must proxy them and hide everything about a person who requested it.
> A person with bad intentions can trick a victim into opening your profile that looks completely legit and detect his IP and a browser.
Can you explain this in more detail? Given a profile host that doesn't proxy, how does that attack work?
1. your browser opens image from external server (in this step the server gets your IP and potentially user agent as that's how browsers communicate with servers)
>Unlike GitHub, most of them don't even bother proxying the image to hide IP, referrer, and browser agent. If you want to allow external images on your site, you must proxy them and hide everything about a person who requested it. > A person with bad intentions can trick a victim into opening your profile that looks completely legit and detect his IP and a browser.
Can you explain this in more detail? Given a profile host that doesn't proxy, how does that attack work?