Image Blind Watermark

Image Blind Watermark invisibly embeds watermark information into the original image. You can extract the blind watermark from suspected stolen resources to verify image ownership.

Features

After activation, each account has 3,000 free quotas. Charges will be incurred after exceeding the limit. Three types of blind watermarks are provided: semi-blind, fully-blind, and text-based. You can choose according to your needs.

Watermark Type	Characteristics	Applicable Scenarios
Semi-blind Watermark (type1)	Strong resistance to attacks, but requires the original image for extraction	Suitable for small images (640x640 or below)
Fully-blind Watermark (type2)	Convenient extraction requiring only the watermarked image	Batch addition and verification without original image comparison
Text Watermark (type3)	Directly adds text information to images	Terminal information addition

Applicable Scenarios

Authentication Accountability

You can add a semi-blind watermark to image resources. After discovering that malicious attackers have stolen your resources, retrieve the suspected stolen images and perform blind watermark extraction with the corresponding original images. If a valid watermark image can be obtained, it can prove resource ownership.

Upload Duplicate Check

To address the issue of some users repeatedly uploading the same information using other users' resources (e.g., property images, car images, product images, etc.), you can perform fully-blind watermark extraction before users upload image resources. If watermark information is extracted, it proves the image originates from existing resources, and corresponding actions can be taken (e.g., reminding users not to upload resources repeatedly). If no fully-blind watermark exists, add a fully-blind watermark to protect image resources from being downloaded and re-uploaded by other users.

Resource Leak Prevention

For internally shared image resources, you can use text blind watermarking to embed the requester's information into images during access. If resources are leaked, the blind watermark can be extracted from the circulated images to identify the source of the leak.

!You can use this extension capability not only in Cloud Functions but also on the client side. The file read-write permission policies are consistent with Cloud Storage, reducing your additional permission management efforts.

Prerequisites

CloudBase has been provisioned.

Extension Configuration Information

You can configure the following parameters:

• Environment ID: Select the environment to deploy to, specifying where it will be used.

Billing

This extension uses CloudBase or other Tencent Cloud services, which may incur relevant fees:

• Cloud Infinite (Product Pricing and Usage Details).
• Cloud Storage (Product Pricing and Usage Details).
• Cloud Function (Product Pricing and Usage Details).

When using CloudBase extensions, you only pay for the cloud resources you consume; CloudBase is billed separately from other cloud resources. You can view detailed information in the Billing Center.

Enabled APIs and Created Resources

• Type: Cloud Infinite Description: Provides developers with intelligent processing services for images, videos, and other types of data.
• Type: Cloud Storage Description: Storing images and improving their loading speed via CDN.
• Type: Cloud Function Description: Detects image processing parameters and generates signatures for image processing to ensure the legitimacy of operations.

Permission Granting

Primary Account

Role Name	Authorization Policy Name	Role Type	Description
CI_QCSRole	QcloudAccessForCIRole, QcloudCOSDataFullControl	Service Role	Cloud Infinite (CI) will access your Tencent Cloud resources, including reading, modifying, deleting, listing, etc. of COS data.
TCB_QcsRole	QcloudCIFullAccess	Service Role	CloudBase (TCB) will operate on your Cloud Infinite (CI) resources to facilitate your use of this service in extension capabilities.

Sub-account

If you want a sub-account to be able to use this extension, you need to grant the following permissions to the sub-account:

• Policy: QcloudAccessForTCBRole Description: Access permissions for CloudBase (TCB) to cloud resources.
• Policy: QcloudCIFullAccess Description: Full read-write access permissions for Cloud Infinite (CI).

Install Extension

You can install and manage extensions via the CloudBase Console.

Use Extension

! If you are using this extension on a web website, first add the website domain as a secure domain for the current environment in the CloudBase Console. Additional requirements are as follows:

• When using the blind watermarking feature, the width and height of the watermark image must not exceed 1/8 of the original image.
• To ensure the effectiveness of the blind watermark, please use a watermark image with a black background and white content.
• Cloud Infinite provides a monthly free trial quota of 3,000 images per account. Beyond this quota, standard billing applies. Unused quota does not roll over to the next month.
• Text blind watermarking currently supports digits [0-9] and uppercase/lowercase English letters [A-Z, a-z].
• Blind watermarking can resist various image theft attacks such as cropping, smearing, and color alteration. The anti-theft effectiveness depends on the original image size and the severity of the attack.

Add watermark during download

Adding blind watermarks during image download is the same as adding regular watermarks. Simply use the watermark parameter after the image access URL. Relevant content is as follows:

watermark/3/type/<type>/image/<imageUrl>/text/<text>
// For example: http://xxxxx.tcb.qcloud.la/demo.jpeg?watermark/3/type/3/text/dGVuY2VudCBjbG91ZA==

Watermark parameter values are as follows:

Parameter	Type	Required	Description
type	Int	Yes	Blind watermark type. Valid values: 1: semi-blind; 2: full-blind; 3: text
image	String	No	URL of the watermark image, which must be URL-safe Base64 encoded. Required when type is 1 or 2, and invalid when type is 3. Must meet all of the following conditions: 1. The watermark image must be stored in the cloud storage of the current environment; 2. Replace 'tcb.qcloud.la' in your file access domain with 'picsh.myqcloud.com', e.g.: examplebucket-1250000000.picsh.myqcloud.com; 3. The URL must start with http://.
text	String	Yes	Blind watermark text, which must be URL-safe Base64 encoded. Required when type is 3, and invalid when type is 1 or 2.

Upload images and add/extract watermarks

1. Install the extension SDK to your project

npm install --save @cloudbase/extension-ci@latest

2. Invoke the extension SDK

Invocation Parameters

Name	Type	Required	Description
action	String	Yes	Operation type, pass: WaterMark
cloudPath	String	Yes	Absolute path of the file, same as in tcb.uploadFile
fileContent	Uint8Array or Buffer	No	File content. If provided, processes the image during upload; if empty, processes an already uploaded image.
operations	Object	Yes	Blind watermark processing parameters

operations node content

Name	Type	Required	Description
rules	Array.<Rule object>	Yes	Processing style

Rule object content

Name	Type	Required	Description
fileid	String	Yes	File path of the processed result. If starting with '/', saves to specified folder; otherwise saves to same directory as original image file.
rule	Object	Yes	Processing parameters

The watermark processing parameter (rule) takes the following values:

Parameter	Type	Required	Description
mode	Int	Yes	Operation type, fixed to 3 (add watermark)
type	Int	Yes	Blind watermark type. Valid values: 1: semi-blind; 2: full-blind; 3: text. Must match the type used when adding the blind watermark.
image	String	No	Blind watermark image URL, path in the current environment's cloud storage
text	String	No	Blind watermark text. Required when type is 3, and invalid when type is 1 or 2.

The watermark extraction processing parameter (rule) takes the following values:

Parameter	Type	Required	Description
mode	Int	Yes	Operation type, fixed to 4 (extract watermark)
type	Int	Yes	Blind watermark type. Valid values: 1: semi-blind; 2: full-blind; 3: text. Must match the type used when adding the blind watermark.
image	String	No	Image URL. Required when type is 1 or 2, and invalid when type is 3. For type 1, provide the URL of the original image without watermark; for type 2, provide the URL of the watermarked image.
text	String	No	Blind watermark text. Required when type is 3, and invalid when type is 1 or 2.

Response

Parameter Name	Type	Description
UploadResult	Object	Original image information

UploadResult node content:

Parameter Name	Type	Description
ProcessResults	Object	Image processing results

ProcessResults node content:

Node Name	Type	Description
Object	Object	Each image processing result

Object node content:

Node Name	Type	Description
Key	String	File name
Location	String	Image path
Format	String	Image format
Width	Int	Image width
Height	Int	Image height
Size	Int	Image size
Quality	Int	Image quality
WatermarkStatus	Int	This field is returned when extracting blind watermarks and when type is 2, indicating the confidence level of the extracted full blind watermark. It is a value of 0-100: above 75 indicates confirmed presence, 60-75 indicates suspected presence, and below 60 indicates no blind watermark extracted.

Invoke Example

Client Usage:

const extCi = require("@cloudbase/extension-ci");
const tcb = require("@cloudbase/js-sdk");
const readFile = async function(file) {
  let reader = new FileReader();
  let res = await new Promise(resolve => {
    reader.onload = function(e) {
      let arrayBuffer = new Uint8Array(e.target.result);
      resolve(arrayBuffer);
    };
    reader.readAsArrayBuffer(file);
  });
  return res;
};
let file = document.getElementById("selectFile").files[0];
let fileContent = await readFile(file);

Usage in Cloud Functions:

const extCi = require("@cloudbase/extension-ci");
const tcb = require("@cloudbase/node-sdk");
let fileContent = imageBuffer; // Uint8Array|Buffer format image content

You can choose to use it in [client] or [cloud functions] as needed, and then invoke it with the following code:

const app = tcb.init({
  env: "Your Environment ID"
});
app.registerExtension(extCi);

async function addWaterMark() {
  try {
    const opts = {
      rules: [
        {
          // File path of the processed result. If starting with '/', saves to specified folder; otherwise saves to same directory as original image file.
          fileid: "/watermark/demo.jpeg",
          rule: {
            // Add watermark processing rule
            mode: 3,
            type: 3,
            text: "tcb" // Supports digits [0 - 9] and uppercase/lowercase English letters [A - Z, a - z]
          }
        }
      ]
    };
    const res = await app.invokeExtension("CloudInfinite", {
      action: "WaterMark",
      cloudPath: "demo.jpeg", // Absolute path of the stored image, same as in tcb.uploadFile
      fileContent, // This field is optional. File content: Uint8Array|Buffer. If provided, processes the image during upload; if empty, processes an already uploaded image.
      operations: opts
    });
    console.log(JSON.stringify(res.data, null, 4));
  } catch (err) {
    console.log(JSON.stringify(err, null, 4));
  }
}

async function getWaterMark() {
  try {
    const opts = {
      rules: [
        {
          fileid: "/watermark/demo.jpeg",
          rule: {
            // Extract watermark processing rule
            mode: 4,
            type: 1,
            image: "/tcb.jpeg"
          }
        }
      ]
    };
    const res = await app.invokeExtension("CloudInfinite", {
      action: "WaterMark",
      cloudPath: "demo.jpeg", // Absolute path of the stored image, same as in tcb.uploadFile
      operations: opts
    });
    console.log(JSON.stringify(res.data, null, 4));
  } catch (err) {
    console.log(JSON.stringify(err, null, 4));
  }
}