-2

When I include controls on video element, ex:

<video controls >
    <source src={"https://another-server/myVideo.mp4"} type="video/mp4"/>
</video>

I get a built in Download functionality as seen below.

enter image description here

and the video downloads normally. But when I try to use javascript and blob to save the video, I get CORS policy issue. Why is not this the case with html5 ?

entropyfeverone
  • 1,052
  • 2
  • 8
  • 20
  • The sections "About the Same Origin Policy" and "Why the Same Origin Policy only applies to JavaScript in a web page" on the duplicate are of particular relevance. – Quentin Dec 29 '20 at 14:43
  • @Quentin No it was not answered in the relevant post. It just explains why and when the CORS policy applies. But it doesn’t explain what I am asking for. I am asking for why html5 built in capabilities are any different so they don’t have issue to download content from another source, even though I have a CORS problem when I try to do it. – entropyfeverone Dec 30 '20 at 08:55
  • As the duplicate says, you, (the developer of the website that the user is visiting), didn't write the code built into the browser that performs the download, so you can't make that code nefariously steal the data that the other side is willing to give to the user who owns the browser. – Quentin Dec 30 '20 at 08:57
  • @Quentin So as I see it we trust html5 and not javascript. This means that the user has to click a button in order to download content (using the video element) whereas if javascript was also allowed, it could also do other stuff with this content using the computation resources of another user. But I always thought that CORS is related to security and that it is not an anti theft mechanism. – entropyfeverone Dec 30 '20 at 09:05
  • @Quentin I hope sometime the web community to agree on having open js libraries with a useful API which will be allowed to execute without any CORS issue as not all js tries to steal content, but just to make a user’s ui more convenient. – entropyfeverone Dec 30 '20 at 09:11

1 Answers1

1

Because Cross Origin Policies do not prevent a client from downloading a resource, it prevents a script from a given origin to read the content of a resource from an other origin.

That the client is able to download the resource on their disk doesn't give your scripts the mean to read this content. They can always save to disk whatever the browser could load.

Kaiido
  • 123,334
  • 13
  • 219
  • 285
  • But html5 video doesn't do exactly that? It does read the content of a resource from an other origin. – entropyfeverone Dec 29 '20 at 14:28
  • **Your scripts** can't read its content no. But yes it can still be embedded, and read by the browser of course. See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access – Kaiido Dec 29 '20 at 14:36