Forum Discussion
Why are files in SiteCollectionImages in SharePoint Online (O365) anonymous for all tenants?
I just found that files of type images (.jpg, png) or .js files located in anyone's O365 tenant are served with no prompt for authentication. Just wondering if this was done for performance reason in publishing sites?
I tested uploading other documents like a .docx file, which then prompts for authentication. It appears to only affect the SiteCollectionImages doc library, and not the SiteCollectionDocuments library.
i.e. https://tenantName.sharepoint.com/SiteCollectionImages/mylogo.png is publicly accessible, no auth.
If this is by design, I think it would make sense to notify tenant admins when creating a SharePoint online site, that any image or JavaScript files would be exposed anonymously if you have the full URL of the asset.
Thanks
I suspect this is related in some way to something Chris O'Brien discovered long ago with regard to the assets that are served from SharePoint's BLOB cache (http://www.sharepointnutsandbolts.com/2009/05/optimization-blob-caching-and-http-304s.html). It's not a direct match, but consider the mechanisms in-play and whether or not you previously authenticated to the site and had BLOB cache assets served to you.
If someone wants to capture a browser trace (with Fiddler, a browser using dev tools, etc), I'd be happy to look at it and see if I could make heads or tails of it :-)
- Sean
Can this be related to Office 365 CDN? On default configuration at least Style Library and Masterpage Gallery are set as public origins.
You can check public origins with "Get-SPOTenantCdnOrigins -CdnType Public"
https://technet.microsoft.com/en-us/library/mt790770.aspx,
I see this as well in all of my tenants. Has anyone gained any insight as to why this is the case?
I am also seeing this in my tenant and don't recall seeing this before. I have not done anything on the library and there is no declaration in permissions that it is available anonymously.
I just removed the unique permissions on the library and I'm still able to view the images in the library.
Hmm, that is a bit worrying.
I first hoped that you would have shared the library with an anonymous link, but I'm getting the same result on a new tenant.
This should not happen.
