You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be nice if a user could set a flag to only allow prediction requests to come from the same domain as where the web server is running. In particular, if a user is hosting their model on Spaces, they may only want requests to come from other Spaces.
There are two ways we could implement this. Any preferences?
(1) Look at the referer header and ensure its the same as the server URL. This would not prevent Spaces to be called from another Space. These headers can also be spoofed pretty easily. (so doesn't completely prevent API usage).
(2) A more robust implementation would be to send a token from the backend to the frontend when the Gradio app is loaded. Making a prediction requires the frontend to send this token along with the prediction. These tokens have an expiry date (maybe 24 hours), so that someone can't simply read the token and hardcode it in the downstream application.
It would be nice if a user could set a flag to only allow prediction requests to come from the same domain as where the web server is running. In particular, if a user is hosting their model on Spaces, they may only want requests to come from other Spaces.
Internal discussion: https://huggingface.slack.com/archives/C02136Y252P/p1666630955157749?thread_ts=1666447456.974249&cid=C02136Y252P
cc @freddyaboulton @aliabid94 @osanseviero @radames @apolinario
The text was updated successfully, but these errors were encountered: