How do Friendica and Red allow me to view protected content on a friend's server currently? Particularly images that are embedded into my /network page?
I don't think that I have a good understanding, but I figured out that ?zrl=... is appended to the image url by the own server. Then I guess the friend's server makes some request to the own server. I don't really get how authentication works from this point.
But does that mean that the image will probably not be visible the first time the user loads a page?
I did think about how this can be done in a way that images can be loaded immediately. Somehow my server must give my browser the permission to view images (or other resources) on my friend's server. So what about this:
My server and the friend's server have a shared secret. When the /network page is rendered, not only ?zrl=... is appended to every remote image, but also something like &permission=...&permission_signature=...
permission is a message like "Every browser possessing this signed permission is allowed to open a session on friend
's server from 2012-09-30T11:09:35.444Z to 2012-09-30T12:09:35.444Z" (of course in a more efficient format), and permission_signature is the signature of this permission using the shared secret. If we use HMAC-SHA256 for the signature, the signature has only 32 bytes (or some more if base64url-encoded), and can be done without using much computing power.
When my browser loads the /network page, it hits the first remote image of my friend. The remote server will read the permission+signature, and if everything is okay, then it opens a normal PHP session for my browser, so that I can view protected content from now on.
Perhaps you have already a better solution for this problem, but I did not find any material... If not, what do you think?
basically "signature = sha256(message+shared_secret)"