Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
Hello All,
I am new here and new to Dropbox integration. In my application we use chooser to select the files from end-user's dropbox account. When the user selects a file, the response contains a download url which is something like this - https://dl.dropboxusercontent.com/1/view/uziu191sh0ilvkq/Get%20Started%20with%20Dropbox.pdf
Now my problem is that, if this request is intercepted by someone and they change this url, it lets user to upload the the file from other source. This is wrong behaviour. I want to restrict user to upload files only from Dropbox. So wanted to know if the domain name used in above example ("dl.dropboxusercontent.com") will always be same irrespective of end-user's country. If this domain is same we can match this as a pattern in backend and discard all other requests.
Has anyone faced this kind of problem before and any help on how to solve it would be helpful.
Thank you in advance.
Jane
Community Moderator @ Dropbox
dropbox.com/support
Did this post help you? If so please give it a Like below.
Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.
Still stuck? Ask me a question! (Questions asked in the community will likely receive an answer within 4 hours!)
Hi Jane,
Sorry for the confusion. I am referring to a specific dropbox integration that I have incorporated in the workflow.
Jane
Community Moderator @ Dropbox
dropbox.com/support
Did this post help you? If so please give it a Like below.
Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.
Still stuck? Ask me a question! (Questions asked in the community will likely receive an answer within 4 hours!)
Hi Jane,
I am not using the File Requests integration. The integration is to download the files from Dropbox account. I am not sure what is the name of the integration as this is legacy code but we allow user to login to his dropbox account and select a file that he wishes to upload to our his account for our application. Once he selects a file from his dropbox account, I get direct download URL like this - https://dl.dropboxusercontent.com/1/view/uziu191sh0ilvkq/Get%20Started%20with%20Dropbox.pdf using which I download the file contents and upload to user's account.
Please let me know if you have a support group alias where I can create a query for the issue we are facing. Our application has buisness integration with DropBox.
Thanks,
Aasawari
@Ashu7878 Right now, the direct links returned by the Dropbox Chooser are always on dl.dropboxusercontent.com, but that isn't officially documented or guaranteed, so I can't promise that won't change.
I'll pass this along as a request to officially document/guarantee that, but I can't say if or when that might be done.
Hi Greg,
The direct link domain is going to be same (which is dl.dropboxusercontent.com) for all the countries from where user accesses dropbox account or it will change? What I mean is if user accesses it from uk will it change to something like this - dl.dropboxusercontent.co.uk ? We have user's across globe who will be accessing this.
Also the problem I am trying to solve here is not about the domain name but more of how to verify that source of direct link is from DropBox in the request. If a malicious user intercepts the request and modifies the direct link in the request, a different file will be uploaded.
I would love to know how some of other people here who use DropBox chooser have solved this kind of problem.
@Ashu7878 The domain is the same for all users from all countries. I just can't promise that it won't change in the future.
In general though, there isn't a way to verify the source of the link since it is shared locally in JavaScript in the client, and the client can't be trusted (since it is under the control of the user, who may or may not be malicious). If you have any general web security questions, I recommend reaching out to a security professional.
Hi there!
If you need more help you can view your support options (expected response time for a ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!