Docs
Login

Security and Domain Restrictions

Tintage implements comprehensive security measures to protect users and ensure content safety across all video templates and rendering processes.

Overview

All external resources (images, CSS backgrounds, etc.) are subject to domain validation to prevent malicious content and ensure platform security. This system blocks unauthorized domains while allowing trusted sources.

Allowed Domains

The following domains are whitelisted and approved for use in Tintage templates:

Tintage Infrastructure

  • dklbe7bjw8h2k.cloudfront.net - Tintage's CloudFront CDN for hosting user assets
  • public-worker.tintage.workers.dev - Tintage's Cloudflare Workers for dynamic content
  • tintage-bucket.tintage.workers.dev - Tintage's video and asset storage bucket
  • tintage.com - Tintage's main domain and assets

Third-Party Services

  • images.unsplash.com - Unsplash image service for high-quality stock photos
  • images.pexels.com - Pexels free stock photos with commercial use license
  • cdn.pixabay.com - Pixabay free stock photos and vectors

Blocked Content

The following content types are automatically blocked:

Domain Restrictions

  • Unauthorized domains - Any domain not in the whitelist
  • Subdomains of blocked domains - Only exact matches and approved subdomains are allowed
  • IP addresses - Direct IP addresses are not permitted

Data URL Restrictions

  • Base64 data URLs - data:image/... and data;base64,... formats
  • SVG data URLs - data:image/svg+xml;base64,...
  • Any embedded content - All data URLs are blocked for security

Protocol Restrictions

  • Local file paths - file:// protocol URLs
  • Invalid URLs - Malformed or broken URLs

Advanced Attack Vectors Blocked

  • CSS @import statements - External stylesheet imports
  • CSS content property URLs - URLs in CSS content property
  • CSS custom properties - URLs in CSS variables
  • SVG image elements - Unauthorized href attributes in SVG
  • Picture/source elements - Unauthorized srcset attributes
  • JavaScript event handlers - All onclick, onload, etc. attributes
  • External stylesheets - Link and style tags blocked

How Domain Validation Works

Real-Time Validation

Domain validation occurs at multiple stages:

  1. Template Editor - Images are validated as users add them
  2. Preview Generation - Content is checked during preview creation
  3. Video Rendering - Final validation before video generation

Validation Process

  1. URL Parsing - Extract domain from the provided URL
  2. Domain Matching - Check against whitelist (exact and subdomain matches)
  3. Content Blocking - Replace blocked content with placeholders
  4. User Notification - Show clear error messages for blocked content

What Happens When Content Is Blocked

In the Template Editor

  • Visual Indicator: Blocked images show "Blocked: Unauthorized domain" message
  • Styling: Dashed border and gray background to indicate blocked state
  • Console Warnings: Detailed logging for debugging

In CSS Backgrounds

  • URL Replacement: Blocked url() functions become url("") (transparent)
  • Silent Failure: CSS backgrounds fail gracefully without breaking layout

In Final Videos

  • Placeholder Content: Blocked images are replaced with error placeholders
  • Consistent Experience: Videos render successfully with blocked content indicators

Using Approved Image Sources

Tintage Image Uploader (Strongly Recommended)

For all custom images, we strongly recommend using Tintage's built-in image uploader. This is the easiest and most reliable method:

How to use:

  1. Click the image picker button in the template editor
  2. Upload your custom image through the interface
  3. The system automatically generates the correct CloudFront URL
  4. Your image is ready to use in templates

Unsplash Images

For high-quality stock photos:

1<img data-type="image" 2 src="https://images.unsplash.com/photo-1506748686214-e9df14d4d9d0?ixlib=rb-4.0.3&auto=format&fit=crop&w=1080&h=1080&q=80" 3 alt="Stock photo" /> 4

Benefits:

  • Professional quality
  • Wide variety of content
  • Free to use
  • Optimized for web

Tintage Domain Assets

For official Tintage assets:

1<img data-type="image" 2 src="https://tintage.com/assets/logo.png" 3 alt="Tintage logo" /> 4

CSS Background Images

CSS background images are also subject to domain validation:

Allowed CSS Backgrounds

1background-image: url('https://dklbe7bjw8h2k.cloudfront.net/teams/team_ABC123/bg.png'); 2background-image: url('https://images.unsplash.com/photo-1234567890'); 3background-image: url('https://tintage.com/assets/pattern.png'); 4

Blocked CSS Backgrounds

1/* These will be blocked and become transparent */ 2background-image: url('data:image/png;base64,iVBORw0KGgo...'); 3background-image: url('https://malicious-site.com/image.png'); 4background-image: url('file:///local/path/image.png'); 5

Troubleshooting

Common Issues

Future Updates

The domain whitelist may be updated to include additional trusted services. Check this documentation for the latest approved domains and security policies.

Last updated: 2026-01-05

Previous

Properties

Next

Widgets