There's nothing in the content of the object. Is there some kind of metadata I can fetch to make sure directory contents aren't there? - Bruce Lewis

This discussion says metadata is in the HTTP headers, which I've checked: http://groups.google.com/group... Looks like I'm safe. - Bruce Lewis

We disable listing for all of our S3 dirs by disabling the public read ACL on the bucket and setting it on the files themselves. You can fetch from the buckets, but not list them (ditto for the equivalent cloudfront URLs) - Matt Mastracci

Cool. Just to be clear, that includes subdirs that you create via s3fs...it's not just the buckets themselves that are unlistable? - Bruce Lewis

The dirs in S3 are virtual. They don't really exist - the are inferred from the slashes in the S3 filenames. IIRC, s3fs and other programs use a placeholder file to indicate an empty directory. - Matt Mastracci

That's what it looked like to me, but of course that means that for s3fs to list directory contents it needs to query all objects in the bucket matching a pattern. I considered the possibility they might store the directory contents as metadata on that placeholder object. Now that I've learned that said metadata would be in the HTTP headers (which I've checked) I'm satisfied. - Bruce Lewis

I really wanted to be sure, because if I was wrong, thousands of non-public photos would become public. - Bruce Lewis

Yeah, I just confirmed that the S3 browser for Firefox creates virtual directories with the suffix "_$folder$". Listing virtual directory content in S3 is in fact a prefix-search through the bucket. - Matt Mastracci