While creating ViPR, I became aware that there is a potential for abuse of this technology believe it or not! [Feigned look of horror.] Milan Negovan raised this issue in a blog post titled "Don't Let Your Site Get Framed" recently.
Really. There are folks out there that might want to generate text-on-the-fly and not use their own installation of Vine Type. Milan has a name for these folks that I won't repeat here. They might use, for instance, your installation or mine in this case since I haven't released a ViPR-enabled Vine Type yet. (0.99 coming soon folks, honest.)
People could craft pages, and display text images on their site that were generated by your site. Not naming names here, but I did visit a site recently where this practice was actually occuring. I'm not sure if the blog owner has an agreement with the other domain generating the text images or not. Perhaps I'll ask him at SxSW.
Anyway, Vine Type as it existed a week ago permitted crafting image source paths, (this is called URL spoofing) in such a manner that other sites could generate any text string image they chose. They were restricted by my ViPR font color and style, but they could place any message on their site that they chose.
This was because ViPR generated text from the URL in this manner:
<img src="...?img=default|Protecting Bandwidth" ... />
Anyone on any site could create that same img element, change "Protecting Bandwith" to "Welcome to MalWare Central" and their site would display a "Welcome to MalWare Central" image served from my site.
This design is too tantalizing not to deal with. While images can be pulled from anywhere, the fact that the text was customizable created, I believe, a tremendous incentive for abuse.
To reduce the incentive significantly, I removed customizability. Rather than putting the article title text in the src path, ViPR now places the article id and looks up the article title from the id.
Folks can now steal my article titles and display them on their sites, but they can't craft custom messages anymore.
<img src="...?img=default|50" ... />
Default, by the way, is the name of the template associated with the page being displayed. I'm hoping this design will mitigate any potential for bandwith abuse that using Vine Type with ViPR might present.