Can you protect/obfuscate the URL for assets on Cloud Files? - cdn

Just opened an account with Rackspace Cloud Files and I'm looking to protect our video assets. By protect I want to make sure that the user is logged in with an active account prior to serving up the video stream. I suppose it could be done in the .htaccess, however if I use LiveHeaders or any other sniffer I will see the CDN's URL. We will be serving this video to the iPhone as well as through the browser.

You can simply download it on server side and send it to client. Dont ?
Why you have to provide CDC URL ?
For example, using CURL...

Related

FetchEvent for "<URL>" resulted in a network error response: CORP prevented from serving the response to the client

I'm building and app with firebase and expo in react native. The app has live streaming with Zoom Web SDK. In order to deliver a better experience to the end user, for example, the ability to send video faster and enable multiple video streams, which powers features like Gallery View and Virtual Backgrounds, we need to enable SharedArrayBuffer.
As of Chrome 92, SharedArrayBuffer is only available if your web page is Cross-Origin Isolated, or if your web page uses Credentialless headers.
We implemented the coi-serviceworker from https://github.com/gzuidhof/coi-serviceworker and the rules to implement this are:
Rules: 1. It must be in a separate file, you can't bundle it along with your app. 2. It can't be loaded from a CDN: it must be served from your own origin. 3. Your page will still need to be either served from HTTPS, or served from localhost.
THE PROBLEM:
When a implemented the coi-serviceworker in my code, all the files(images and videos) that comes from the firebase storage are not displaying anymore.
I think the error is because of the second rule, because we use Firebase Hosting to publish our app, but the Zoom Gallery View works.
Firebase Hosting uses an advanced global content delivery network (CDN) to make your website as fast as possible. Requested static content is automatically cached on the CDN. If you resume site content, Firebase Hoststatic will not automatically clear all content and CDN cache until the next request.
Someone faced the same issue? I appreciate any help!

How to hide the Firebase Storage download URL from the network tab of browsers?

I'm leveraging Firebase Authentication for downloading images from firebase storage. I'm also leveraging google API HTTP referrers for blockage by domain so that my image from firebase storage is only accessed from my website. But when I go to the network tab of my browser I can see the download URL of the image. By this, anyone can download my image and use it. What should I do so that my images are secured?
P.S: I'm using the firebase storage SDK and by following the documentation when I execute this code below
storageRef.child('images/stars.jpg').getDownloadURL().then(function(url) {
// `url` is the download URL for 'images/stars.jpg'
var img = document.getElementById('myimg');
img.src = url;
}).catch(function(error) {
// Handle any errors
});
I can see the download URL in the network tab of my browser.
You can't. When you give up access to a Cloud Storage download URL to any one, in any way, you are implicitly trusting that user to its access. They are free to share it with anyone they want. If you don't trust that user, then don't give them the URL.
If you don't like the way this works, then don't use download URLs, and allow only secure downloads via the Firebase SDK. At that point, you are trusting the user they will not take the content and upload it elsewhere and generate a URL to it.
You seem to have two options as far as I can tell. Unfortunately, they are basically one in the same effectively as you will probably have to implement both.
The first option is to revoke the access token on individual files you don't want to be allowed to download. Unfortunately, this also means that you can't display them anywhere you currently do via the URL as it breaks that link. See this answer for why that is a pain to do.
The second option is to use storage references to download them client side, but this only works if you are using Firebase SDK's in a web app and not a simple static website. I think this shouldn't expose the URL on the network tab of the browser if the app is set up correctly.
You can implement the second option without the first and the URL shouldn't be exposed, but you can't use the url anymore and have to use both options if you implement the first one... :/ meh... firebase is great, but nothing is perfect
This seems to work, I'll update if it doesn't
Edit: "However, the CORS configuration applies only to XML API requests," which one can just go to the file still.. https://cloud.google.com/storage/docs/cross-origin
GCP console >_
pencil icon > create cors.json [{"origin":["https://yourorigin1.com"],"method":["GET"],"maxAgeSeconds":3600}]
go back to shell and enter gsutil cors set cors.json gs://yourproject1.appspot.com
https://stackoverflow.com/a/58613527/11711280
Workaround:
I will make all rules resource.data.authorId, resource.data.members, etc. I need to match the request.auth.uid (or control calls in client code to non-anonymous uid's), and sign-in every user anonymously, at first. Then, uid will not be null when using a firebase initialized from our domain

iOS9 and HTTP with dynamic sources

My app is remotely updated with image URLs from tons of different sources, most of these on HTTP servers. Now, these HTTP URLs won't download because of App Transport Security.
Apparently I have two options.
Allow all HTTP URLs: Bad practice, possible App Store rejection
Allow specific domains: Not possible because this would mean I can't remotely add images
How can I download the images without disabling App Transport Security?
What if you programmed your own web based API that downloads and stores said images - then you can retrieve them with a call to it. Secure your API with HTTPS. This also gives you more fine grained control in that you own the server you are querying instead of accessing someone else's.

Photo streaming uploading protocol

In this age of *chat applications and various messaging software, I was wondering if there is already an official protocol (RFC) that would follow the following basic flow:
Client connects to Server for a new session
Client uploads an image (or video) with metadata information (size, resolution, format) to server
Server does some work (not part of the protocol)
Server replies with REJECT then client goes to 1.
Server replies with ACCEPT then client stops and gather the result as part of the reply from the server
I have a proprietary solution now that does the basic (supports basic formats) and as we know, the devil is in the details so I wonder if some existing protocol would cover the stream format and more unhappy paths I may have missed with this simple design.
I'm not aware of any protocol that can handle file probing for you ..
ffprobe is a good open source solution to do this but requires processing power and scale.
So this step must be done on server side, after the upload. You cannot trust the client for such information.
I suggest the cloud approach. Here, we're using Amazon Cloud.
Upload your file to AWS S3. You can use multi part upload for faster upload. No need to scale anything, AWS will do it for you.
Your clients just request a signed URL from your web server. The server return the URL and an ID for this new asset. Your clients upload to AWS S3 using the URL.
Once the upload is done, your client make a call to your server again to say: "I'm done with Asset ID blah". Your server knows the asset is now uploaded and can initiate transcoding, analysis, DB updates, etc.
We do this exact scenario in our project.
For transcoding at scale we use our own open source project: https://github.com/sportarchive/CloudTranscode
This is not an easy business, especially if you want to handle videos.
If you restrict yourself to pictures, then a lot can be done on the user side. You can create several versions of the image in JS, directly in the browser for example or in the mobile app, and upload them to your server. The load is much smaller and you may not need this decoupled architecture.
If you handle videos, you need a solid backend.
Hope this help

Akamai file upload from asp.net

I want to upload video from asp.net application to Akamai server so that members of my application can view the video. I have an account on Akamai and have CP code. Now i want to upload video through c# code. If some one has idea then please guide me do this.
Thanks,
Munish
Uploading to Akamai Edge Storage is done through FTP. Check Akamai documentation for how to get the details of the ftp account. Then go a web search for C# FTP libraries for how to push files to it.
Having said that, in almost all cases, you don't need to "upload" to Akamai at all. Whether you are delivery your video over http or streaming, Akamai can pick up the files straight from your web servers.
In Akamai terminology, this is known as setting up an "origin" server. As long as your server is on the internet, and the video files can be downloaded, then Akamai can use them. For full details, look in the Akamai documentation (either Http Content Delivery or Ondemand Streams) for using origin servers.

Resources