45 comments

[ 5.1 ms ] story [ 108 ms ] thread
Someone's using a hash function where a MAC belongs..
What exactly do you mean?
you are basing your 'token' on md5(data+secret), however md5 (and other hash functions) are easily extended when data and token are known, even without knowing secret. Basically, given data and token, I can produce a different token, that matches a (somewhat) different data, without knowing secret.
Sure you could, but then why would one go through all the hassle just to get a (probably already cached) screenshot?
well, for starters, I could use your (paid) account to get free screenshots.
But if you knew how to do that then you could probably set up webkit2png in a tenth of the time.
True, but what you are saying is only complex applications need to be secure?
Does it let you take a screenshot of the whole height of the page? I see that you can specify the height of the viewport, but what if I want a whole long screenshot of as much height is rendered?
Yes it does. See this example of the nytimes: http://url2picture.com/Picture/Png/?apikey=6101EE5C99B145ECB...

Of course there are limits to this as some websites have "endless" scrolling (like pintrest)

Ergh, Windows font aliasing.
What's the market for this?
Oh quite different: Mostly it's used to create images inside reports or to display thumbnails for the user.

The Full-Page Screenshots is the main selling point at the moment...

I'll chime in and say that the company I work for was ready to pay 1200$ for a piece of software that we hoped would do this reliably. There are cheaper or even free alternatives out there, but they all had different problems. If this site is reliable and flexible, it is answering a real need in the market.

Does it render in webkit?

Yes it uses webkit, and regarding reliability... It currently runs smoothly despite the hacker news traffic increase ;-)
Sorry, I meant that as in reliably renders whatever you throw at it. This where others would fail, i.e. sections of the page would be not be rendered, or they would execute javascript, but the execution would fail half way through,, it would crash if the site embedded certain resources, that kind of thing.
It runs a full blown browser in the background so it should handle most things you can throw at it.
Just use urlbox.io. We using them and currently doing over 25K screenshot requests a day on urlbox and extremely happy with their service reliability. Have spoken to founder couple of times.. he's integrated us with their PHP API.
This looks to me to be a page-for-page clone of another url screenshot service that made it to the front page a couple weeks ago.

http://news.ycombinator.com/item?id=5257432

Compare: https://urlbox.io/docs

http://www.url2picture.com/Home/Docs

and on top, looks like urlbox (properly) uses hmac!
Yeh exactly. There should be a way to downvote clones.
Clones often aren't exact clones and have nuances which differentiate them. Sometimes the nuances are very important.
Are the Samwer brothers behind this?
its an inferior copy of urlbox.io.

It doesnt render fonts / webfonts properly.

Website design and docs look really poor compared to urlbox.io.

Kind of funny - you get German Google display ads in the screenshots - looks like a headless webkit client (similar to phantomjs) - clear your caches between the screenshots guys.
I see you have an option to crop the image... but what about offsetting the crop? I've looked at a few of these services and no one seems to give that option. I can process it myself but it would be nice to do it in one api call. For example set viewport to 1200 x 1900, crop to 300 x 400 at 500px from the top and 300px from the left. Or some coordinates from top and center perhaps...
I've added this to the to-do list...
Niggling feedback: This is a tool for developers, it's awesome that you have code on the homepage but I'd like to see that code:

- Formatted in a way that I can read it without scrolling

- Not using capitalized variables

In PHP it's a good practice to capitalize variables when they are "static". (Not LITERAL static)
The domain name and the home page look too much like http:/www.url2png.com/
Agreed. But as they say imitation is the sincerest form of flattery.

:)

You clearly were not ready for production. Please take your SaaS product offline and fix it.

1) A Recursion vulnerability exists within your app - if I use your PHP sample code to take a a screenshot of itself, your service blows up.

2) You embed a fully usable API key and token in your landing page. Line 254 and 255: var urlPart = "apikey=6101EE5C99B145ECB79B4125BED74D19&url=" + $('#tryurl').val() + "&thumbnail_width=550&crop_height=440&width=1280&height=1024"; var token = calcMD5(urlPart + "9A8E44104F064A5B9AD410F0F2DC9558");

You might want to fix that.

You're right, I've added both to our bug list. Thanks for pointing that out!