Reputation: 2618
How to enable videos to play only from a particular domain
I offer a subscription service where users pay $9/month to access 100's of videos. Earlier my videos were uploaded on Wistia and they had a feature of domain access - so only if the videos were accessed from my domain - they would play. If anyone copies the embed code and tries to access it - the video will not play.
I am now in the process of migrating the videos to Google Cloud storage.
The current setup is as follows
- Have created a public access bucket in Google and uploaded all the videos
- Copied the public access mp4 URL of each video and stored in the database.
- When a paid user logs in and accesses the video, the URL is passed on to flowplayer which plays the video.
Issue
Since the Google bucket has public access - the mp4 URL's can be accessed and shared easily. A user can pay $9 for the first month and then view source of the page and get the URL of the mp4 file and download all the 100's of videos and can distribute them freely or upload them on youtube.
Possible Solutions
Can something be done at Google Storage to prevent this. To my earlier question, signed URL's were suggested but they do not resolve this issue. Is there any other option of ACL or CORS that makes the videos secure so that they play only on my website or provide some other form of prevention.
Can something be done programmatically. My site is built on PHP. Can URL's be masked or made difficult to access via source code.
Can something be done through flowplayer. I believe they also have paid versions. Do they provide any form of access security.
I realize if people want they can find numerous tools to download the videos - all I want to do is not show the direct link to mp4 file in the view source code.
Thanks
Upvotes: 2
Views: 2322
Answers (1)
Reputation: 39834
If you make the videos public and offer them via their public access urls then there is no way to restrict access to the no-longer-paying users while still allowing access to paying users. From Making Data Public:
Note: When an object is shared publicly, any user with knowledge of the object URI can access the object for as long as the object is public.
So to achieve what you want you need to either:
stop making your videos public. Use any of the Access Control Options best fits your case. Signed URLs are a good choice. You use your own desired access logic (like checking your domain, for example) to condition the signed URL generation.
NEVER publish the public access urls. Use the same access control options as above. Signed URLs are effective, but only if you use them, not the public access URls as you do now. Note: not sharing the public urls doesn't ensure they can't be guessed and leaked (accidentally or intentionally), thus potentially bypassing any access control you may have in place (see security by obscurity). Might as well drop the shared public access. Signed URLs can be used for uploads as well (if that's your concern).
It's not impossible to have your own access control method (which is what you're hinting at #2, I think) or a 3rd party one (your #3). But the above note applies in both cases - they can be bypassed if the videos are publicly shared. So why bother?
Upvotes: 2
Related Questions
- Error in setting Content Security Policy for loading video from another domain
- Play Domain Restricted Video in Android/iOS App
- Azure Media Services - allow streaming to specific domain
- How can I grant access only if resource is accessed through my domain?
- Video Embed Playback Domain Restrictions via Azure Media Services Streaming
- Access-Control-Allow-Origin with HLS streaming and video JS
- How to add domain to Google Cloud Storage object ACL at creation?
- Vulnerability issue - Security.allowDomain(*) - Flow player
- Restrict S3 object access to requests from a specific domain
- How can I limit flash movie to work only on single domain? not even in embedded browser activex