Let me have user-submitted files (mostly PDF) readily available for download only using a link in the host website.
I have protected user-submitted files by having an .htaccess file that resides within the uploads directory. . .htaccess inspections the referrer from the hard-coded domain title, and when the referrer matches, it enables access. Otherwise access is refused.
This works fine, except when following a file links in Safari for Ebooks. Safari tries to open them in-browser, and subsequently will get refused, despite the fact that the referrer was correct.
Any ideas how you can enable Safari customers to see these files when from the correct location?
Referer (sic) header is extremely hard to rely on at best. When utilizing it, I'd only disallow customers having a blatently wrong referrer, 'referrerless' demands is going through as they could be perfectly legitimate.
You claim the referrer was correct, although Safari is blocked, and that is the only real check you claim that they can do. Realistically, the referrer isn't correct: what's inside your access and/or error log of apache?
I'd solve it having a session (or pseudo session), or even despite creating temporary (empty) files according to remote ip-address, and base access on either existance of session, or existance of ip-related temporary file.