Sketchfab loads and renders models, only some of which can be downloaded for free. Models can be viewed without credentials but they don't show up when inspecting the website through the console.
How can a website protect resources (images, gltf files, etc.) from being accessed through the browser console and directly downloaded?
This is mostly about protection from casual console and code use, not serious attempts to breach the system.
CodePudding user response:
I don't have any inside knowledge here, but I'll venture to guess that Sketchfab is using a proprietary format to send most of the model information (geometry, animation, material properties, etc.) from their web server to the website client. They accept uploads in a large number of formats, which a web client cannot reasonably support, and so converting those formats to a single internal format supported by their renderer would be necessary for their website. The data is binary, and not easy (but also not impossible) to reverse engineer.
The textures are not encrypted — you can see them in the Network requests for the page — but they're probably not the original 'source' images, either, I'd assume Sketchfab is compressing the images for smaller file sizes and keeping the lossless source images in storage somewhere.
As you mention, it is impossible to completely prevent a user from downloading and reverse-engineering a 3D model if you are allowing that user to render it on their own GPU. Using a proprietary format is one "good enough" solution. Packing standard formats like glTF into larger binary buffers might also be fine for this purpose. Using lossy compression (Draco, KTX2, JPEG, ...) can also make it a bit less appealing to scrape downloads as opposed buying the original asset.
Finally, a web service like this will likely have some kind of rate-limiting — if they notice that a single user or network of users is downloading a lot of models, they'll likely block those users and/or IP addresses.
You may find some other ideas in these resources: