In our App users can subscribe to get access to "premium videos". We use vimeo to host all those videos using that domain protection setting that only allows our videos to be embedded in a specific domain.
Our situation:
If a ill-intended user subscribes for a month and use that access to get all the private videos IDs (something around 1500) using Firebug, chrome inspect or another tool like that, he can manually insert an iframe on our login page and since it's on the domain that is allowed by vimeo, the private video will play without any restriction.
Making use of the stolen ids he can then create a plugin that can list all of our private videos for free on our own site :(
Here's a code sample that someone can use to play a video on our domain just by inserting it using chrome inspect:
<iframe src="https://player.vimeo.com/video/{any video ID including our domain protected ones}" width="640" height="640" frameborder="0" allowfullscreen=""></iframe>
My question:
Is there a way to avoid or make it harder for someone to do this?
A possible solution that we could think of was to create another domain to use as the domain for the videos (avoid using the same as login), but its possible to get that new domain on the network tab of chrome anyway.
P.S: I don't know if that's relevant but we are using PhoneGap/Cordova to develop the app.
After a research and a few answers from Vimeo support we found a solution that works for our case.
Since there's no way to stop people from downloading your videos if they have access to them, we changed our strategy from using domain protection to using direct video links/urls (this requires upgrading your Vimeo account to Pro or higher).
Read more in the Vimeo documentation:
Direct links to video files
Get video file and download links from the API
When you get a direct video url (like https://player.vimeo.com/external/...) and open it in a browser it redirects you to a temporary Url (answer from Vimeo: "Both the files and download links are HTTP 302 redirects to the actual video file resources. The location of the actual video file resources expires every few hours, so make sure you always use the redirect links we provide."). We can then use this temporary url in HTML5 video tag and play our videos.
Notes:
If a user steals our urls it will only work for a few hours and that way they wont be able to build a site with our videos using our Urls.
Unfortunately someone with some knowledge in web can download the videos easily using that direct video link, but since we can't avoid the videos to be downloaded anyway that wont be a big deal.
We need to get the temporary url server side, because we don't want anyone to access the original direct url (like https://player.vimeo.com/external/...).
Here's a code example in C# that gets that temporary url (based on this):
var url = "https://player.vimeo.com/external/...";
HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(url);
webRequest.AllowAutoRedirect = false; // IMPORTANT
webRequest.UserAgent = "youruseragent";
webRequest.Timeout = 10000; // timeout 10s
// Get the response ...
using(var webResponse = (HttpWebResponse)webRequest.GetResponse()) {
// Now look to see if it's a redirect
if((int)webResponse.StatusCode >= 300 && (int)webResponse.StatusCode <= 399) {
string uriString = webResponse.Headers["Location"];
System.Diagnostics.Debug.WriteLine("Redirect to " + uriString ?? "NULL");
}
}
Related
Our website is a vertical search engine and we refer a lot of traffic offsite to partners sites.
We recently switched our website over to serve all traffic via HTTPS. We realised this might confuse some of our partners if they were looking at referrer stats and saw a drop in traffic attributed to us. Therefore at the same time, we added the content-security-policy:referrer origin header and we can see that the referrer is correctly passed along by the browser.
Generally this is working fine but we have had complaints from users of Adobe SiteCatalyst (previously Omniture) who are no longer able to attribute traffic as being referred from us. We don't have access to SiteCatalyst to test this out. How does SiteCatalyst track referral traffic and is there a way to view all traffic split by different sources/referrers?
I don't know if this accounts for everything, since I don't have full context on both your end or your users' end, but here is some info / thoughts that might help.
By default, Adobe Analytics tracks referrer from document.referrer. This can be overridden by setting s.referrer.
In general, depending on how your site directs visitors to the other site vs. Browser security/privacy settings, document.referrer may or may not have a value. For example, Internet Explorer's default security/privacy settings is to suppress document.referrer on dynamically generated popup windows (e.g. window.open() calls).
So, and again, this is just speculation because I don't know the full context, you may need to work something out w/ your users, e.g. explicitly passing the referring url as a query param to the target page, and have your users pop s.referrer with it if it exists. Something along the lines of:
if ( !document.referrer ) {
s.referrer=s.Util.getQueryParam( 'refURL' );
}
Note: s.Util.getQueryParam is a utility function for Adobe Analytics AppMeasurement library that will return the value of the specified query param, or an empty string if it doesn't exist. If your users are still using legacy H code, they should use the s.getQueryParam plugin instead. Or use whatever homebrewed method of getting a query param from the URL, since javascript doesn't have a built-in function for it.
Part of a site I am working on at the moment requires Audio/Video previews.
These are server from a different server to the main site.
The Streaming URL is of the form:
www.myserver.com/Preview.aspx?e=I_AM_AN_ENCRYPTED_KEY
The Key is generated by the server that hosts the file, not the site on which the previews are actually displayed. It's kind of an API.
Part of the security to stop these previews being played anywhere except this website is supposed to check the domain which is requesting this, but it seems that HttpContext.Current.Request.UrlReferrer is NULL when requested from an HTML5 video/audio element.
Without posting the domain along with the Key to the API, is there any way that I can get the referring URL on the receiving server, server side?
EDIT:
To clarify:
There is a website with HTML5 elements which are directed to a URL on a different server, the URL and key is provided by this server (not the website)
When the API server receives a request to stream the preview it checks the Key (which basically tells it what to play) and also checks for the referring domain against a list of allowed domains.
Figured it out - in case anyone cares...
Simply replace:
ReferringDomain = HttpContext.Current.Request.UrlReferrer
with :
ReferringDomain = HttpContext.Current.Request.Headers("Referer")
Sorted! :)
I have an web application in which I generate a download link to an external google resource. This request usually needs a cookie. Because of the cross domain policy I currently download the files with curl and then pass them through to the user. Now those files are large. So I was looking for a way to download them directly through the clients browser.
Playing around I've found out that I can append the cookie in question to the http query, but this only works if no other cookies are set! Since it's google almost all users will have set some cookies for .google.com. Is there any way (maybe some security feature or bug) I can trigger a download request for that file in the users browser without sending any cookies along.
I discovered that I can make a request to *.google.com. (notice the . at the end) and then most browsers won't send any cookies set for .google.com . I've did a quick test using browsershots and on my own devices. The hack works in almost all browsers except for Safari (desktop and mobile) and some no name browsers.
While this works, I've decided not to use that method because the file name will be set to something unusable (no file extension).
I'm building an emailshot tracking function in my ASP.NET site which will serve up a linked image when the email is opened, so allowing me to count the email opens.
It's all above-board, opted-in etc, etc, and I've tried two methods:
calling a .aspx page that serves (direct to the Response stream) a Base64-encoded image stored in a database
calling a .ashx HTTP handler that serves an image from a physical folder
Both of these techniques work absolutely fine - the image is served, and I can process the hit in the page code - if I use my POP email or my Gmail accounts.
However, Hotmail blocks them both. It doesn't even give the option of displaying images - there's no trace of the original link if I View Source on the browser email display.
Links to images only seem to display correctly in the Hotmail browser window if I:
Use an actual domain name in the link (rather than an IP address or localhost for testing) AND
Link to physical files (rather than pages that serve them) using <img src="http://domain/imagefilename.ext"/>.
Is there an alternate approach that will at least give the option of viewing the image? I'm not trying to conceal the tracking in any way - there will usually be other linked images in the emails anyway.
Nor does the thing being served have to be an image - is there anything else that can be served (and hence counted) that isn't treated as suspicious by over-zealous mail servers such as Hotmail?
Cheers.
You can add a querystring value at the end of the url. And then configure IIS to handle that extension.
WELL what are you asking is a nightmare for email server.this same technique is used by spammers to get valid emailid out of junk emailids. For now i can assure you tracking opening of email is impossible using any white hat or gray hat techniques on any reputiable servers.
plese see these links for more details:-
http://emailuniverse.com/ezine-tips/?id=502
https://webapps.stackexchange.com/questions/22662/way-to-ensure-that-my-sent-email-was-read
However dont take myword 'impossible' for granted, there are some protected techineques available but i am not sure about it
http://mailchimp.com/
good luck
I need to be able to open up an external URL in my website with out revealing it to my users (both in the browser and in the source). I do not want them to be able to copy the URL and edit the query string to their liking. Is there a way to open the URL in an iframe, or something of the like, and hide/mask its source?
This is an asp.net 2.0 website.
Could you do the following:
Accept parameters from the user.
Have a webpage or backend process which uses this to download the PDF to a temporary store.
Then stream this to the client, so they don't know about the URL where the PDF is generated? (or just stream directly, without downloading temporarily.)
This way users would never know about the other site, and it should be much more secure.
This could also use some validation/authentication so users are unable to alter the parameters passed to retrieve other users' PDFs.
No. If you are having the clients machine do something (i.e, point their browser to a web page), you can not keep that information from them.
You can render that page server side in a flash widget or some other container but you can't do it on the clients machine.
Best bet: You can make a server-side XMLHTTP request, grab the response and feed in back into your page using AJAX.
You could possibly do it server side by:
Opening a network connection to the
site you want
Obtaining the HTML from a HTML/Get request on the
URL
Inserting it into your page on the server side
That would probably slow down your page load considerably though, and could come coupled with legal issues.
I had a similar problem myself a while ago and did something along these lines (C# .NET 2.0);
public void StreamURLContents(string URL)
{
WebRequest req = WebRequest.Create(URL);
using (HttpWebResponse resp = (HttpWebResponse)req.GetResponse())
using (Stream dataStream = resp.GetResponseStream())
using (StreamReader reader = new StreamReader(dataStream))
{
string currentLine = reader.ReadLine();
while (currentLine != null)
{
Response.Write(currentLine);
currentLine = reader.ReadLine();
}
}
}
You would have to tailor the writing of the HTML to suit your particular application obviously, and you'd break all of the relative links in the target site (image URLs, CSS links etc.), but if you're only after simple text HTML and want your web app to grab it server-side, then this is a good way to go.
You can make a one-time URL by doing the following:
Store a GUID in a database
Allow the client to request the GUID via hyperlink or other means. The GUID is used in the URL as the fake page; example: http://www.company.com/foo/abc-123-efg-456.aspx
Use URL Rewriting to capture and inspect all requests to the directory "foo" and redirect to your handler.
Confirm the GUID is valid, then mark it as "expired" in the database
Send the appropriate data (a PDF?) to the client as the response to the request.
Any subsequent requests to the same URL fail.