0

I have developed a video sharing portal solution with a function similar to video sharing website out there (youtube, dailymotion), whereby it allows generation of iframe HTML code that can be embedded on your website.

For example:

<iframe width="521" height="391" src="http://192.168.1.3/vidsolution/public/portal/embed/UlNBX0VuY3J5cHRpb25fMi5tcDQ=" frameborder="0" scrolling="no" allowfullscreen></iframe>

So i would like to find out how can I achieve Domain restriction whereby the iframe will only show the player if the iframe is embedded on permited domain ?

I've found out that you can use javascript to check parent url:

Link: access parent url from iframe

Is that the most reliable way to do domain checking ? any alternative that doesn't involve Javascript, i.e. using JSP / Java Servlet checking ?

Thanks.

Community
  • 1
  • 1
Charlie Kee
  • 1,161
  • 3
  • 11
  • 26
  • How should your servlet obtain the embedding pages URL if the request to your video originates from the web page users IP? – Smutje Jul 07 '14 at 06:29
  • @Smutje Perhaps you can enlighten me on this ? What i need to find out what is the best method to perform domain restriction checking with the current implementation ? – Charlie Kee Jul 07 '14 at 06:37

2 Answers2

0

Use temporary video URLs (secure link) to restrict the access to the video by client IP for a certain period of time:

  • The Web site, displaying the videos and the video server exchange a shared secretKey (only once, during the setup).
  • The Web site, which renders the video player, at the server side, generates a temporary URL, for the video it wants to display, restricted by client IP and expiration date. A different temporary URL is generated at the server side for each client HTTP request. The temporary restricted video URL looks like at this example: https://videos.mysite.com/play/videoID/expirationDate/{hash}/
  • The {hash} is calculated as SHA256(secretKey + videoID + expirationDate + clientIP)
  • The video server calculates the same {hash} for the requested video and provides the video stream only if the {hash} is correct.

Both Web site and video server know all the details, needed to calculate the hash:

  • client IP address (taken from the HTTP request, then passed to the video server as parameter)
  • videoID (passed as parameter)
  • secretKey (it is exchanged during the setup)
  • expiration date (generated by the Web site as current date and time + 4 hours, then passed to the video server as parameter)

Secure Links in nginx

The above described video link protection mechanism is known as "secure links" and is implemented out-of-the-box in the nginx secure link module:

Such an implementation is highly secure and is almost impossible to bypass (unless the client downloads the video and uploads it elsewhere), but it involves server-side logic at the Web site, which displays the video.

Similar "secure link"-based access restriction is used by Amazon S3, Facebook videos and many CDN networks.

Pure Client-Side Implementation?

If you want to skip the server-side logic, and encapsulate the "secure link" unlock logic in an easy-to-embed JavaScript video player, you could generate the temporary secure link for the video in your client-side JavaScript code, but attackers can reverse engineer the code and reveal the secret key.

I don't how to implement secure link generation securely purely at the client-side.

Svetlin Nakov
  • 1,599
  • 18
  • 19
0

Addition: Domain-Level Restriction

Most video servers use the Referer HTTP header to implement domain-level restriction for accessing the domain-protected embedded videos.

This cannot be easily tricked at the client-side, because modern Web browsers disallow changing the Referer HTTP header from a client-side JavaScript fetch (AJAX) calls.

Bypassing by Server-Side Proxy

Beware: the Referer HTTP header-based domain restriction can be bypassed by a server-side script, which requests the video with spoofed HTTP referer and re-streams it to the client (as proxy).

For example, the "domain-level privacy" for Vimeo videos can be bypassed by a server-side code, which fakes the Referer HTTP header and the related cookies in a server-side HTTP request.

Bypassing by Client-Side Code Injection in Allowed Domain

An easy way to watch a domain-level restricted video (when you have its URL) is by client-side injection of the video player code in some allowed HTML page (using the Chrome DevTools).

Let's see an example. We have a domain-restricted video in Vimeo, which cannot be embedded in the w3schools.com domain (this domain is not allowed by Vimeo):

Domain-restricted video from Vimeo -> access denied

In the same time, the video owner allows this video to be embedded in the domain softuni.org. We can open https://softuni.org, click [F12] to show Chrome DevTools and inject the video <iframe> code somewhere in the HTML page from this allowed domain:

Injecting the Vimeo code in allowed domain using Chrome DevTools

Now the video plays correctly, overcoming the domain-level access restriction:

Vimeo domain-level privacy bypassed using Chrome DevTools

Note that this cannot be easily automated by a Web site developer, but can be done by end-users with tech expertise. User's can also use a browser add-on, which fakes the Referer HTTP header, e.g. see the "Referer Control" add-on fro Chrome.

Svetlin Nakov
  • 1,599
  • 18
  • 19