Skip to main content
Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.

Ask Ben: Spoofing Referrer With ColdFusion 8 CFImage Tag

By Ben Nadel on

Remember this post?

How would you do the same using CF8's new <cfimage> tag when READing a image with a URL as its source that gives you 403 errors?

Here is a sample of the offending URL:

The ColdFusion 8 CFImage tag is totally bad ass. I mean, just the fact that you can even supply a URL as a valid source is wicked awesome! The way the CFImage tag works is a bit of a mystery to me, as it should be. ColdFusion is excellent at black-boxing the hard stuff and just letting us developers worry about leveraging the vast feature set that it supplies. I guess what I am trying to say here is that I don't know how to spoof a referrer directly in the CFImage URL request. However, that doesn't mean we still can't do what you want - it just requires an extra step.

As we have seen before, the CFImage tag can take a number of data types as the Source value. Above, you are trying to supply a URL. The CFImage tag also accepts a binary data object as a valid source value. Knowing this, we can easily append the CFImage functionality to the Playboy picture download example that you are referencing above:

<!--- Set up the target url. --->
<cfset strURL = (
	"" &
	) />

	Set up the base URL folder. This is the folder we
	will use for the referring location.
<cfset strReferrerUrl = GetDirectoryFromPath( strURL ) />

	Grab the image at the given URL. When doing this, we
	need to grab the image as binary so that we can feed
	it directly into the CFImage tag.

		Spoof the referrer as a header value. This is
		how we will get around the 403 forbidden access
		error that is being returned by the server.


	ASSERT: If we have made it this far without timming out,
	then we got are data back from the server. We can not
	yet be possitive that it worked.

<!--- Check to see if the CFHttp grab was successful. --->
<cfif FindNoCase( "200", objGet.StatusCode )>

		We have successfully grabbed the image as a binary
		object. Now, let's read that binary object into a
		ColdFusion image object.

		Write the target image to the browser. We could have
		skipped the above step and just read the binary CFHttp
		data directly into this tag, but I wanted to demonstrate
		that you could read it into a ColdFusion image object.


	<!--- There was a problem with the CFHttp get. --->

		There was a problem grabbing the image.

		Error: <cfset WriteOutput( objGet.StatusCode ) />


Notice that as before, we are letting the CFHttp / CFHttpParam tags take care of grabbing the target image and spoofing the request information. The difference here is that, instead of writing the binary image data to a file, we are reading it directly into a ColdFusion 8 image object. Running the above code, we get the following image being written the browser:

Tire Rim Gotten Via ColdFusion 8 CFImage / CFHttp Combo

It's a little bit more involved than just supplying a URL to the ColdFusion 8 CFImage tag, but it gets the job done. Hope that helps.

Reader Comments

Thanks so much Ben. I was leaning towards using your previous <cfhttp> code for a solution. I just was not sure if their was something I was missing with the <cfimage> tag when grabbing images that return 403 errors.


There might be a shorter way of doing this, but not that I know of (yet). If I come across anything, I will let you know.

In the above code example, the CFHTTP tag has the following attribute/value pair: useragent="#CGI.script_name#"

I think you meant this to be useragent="#CGI.http_user_agent#" rather than referer.

Ooops! Yeah, you are right. I've been getting very sloppy this week - yesterday, I posted a blog entry and totally forgot to post the code :( Not a good way to start off the week. Thanks for the catch.

Ben, Is it possible to take advantage of cfimage if you have CF7MX?

I wanted to use it for a "captcha" program.

@Ben thank you so much for this code walk through, I spent considerable time searching on google before selecting the correct google keywords that landed me here. this worked perfectly