Origin Domains Not Working in Stream

I have created an account.
A video uploaded in cf-Stream is setup under www.abc.com

Case 1:
In the video the allowed origin domains is: Blank
An embed w/responsive control is set in the html on def.com
the video plays properly.

Case 2:
in the video the allowed origin domains is: def.com
(so that only requests from this domain should play the video).
An embed w/responsive control is set in the html on def.com
the video “does not” play at all.

Is this a bug? what am I doing wrong? have I mis-understood the capability. I want requests to play a video to only come from 1 domain. really one specific page, but I can live with the full website.

This is a known issue for Safari. Are you also seeing it in other browsers, such as Chrome?

I just ran a test with a video: https://watch.cloudflarestream.com/c5c49f17c0925efaef0a8e811c825df1. If you visit this in Chrome, the video shouldn’t play because I don’t have watch.cloudflarestream.com whitelisted in the allowed-domains settings.

Please note that allowed-domains changes can take 10-15 minutes to go into effect once you’ve made a change.

i have found issues with ie, safari on mac and chrome. the ie11 that I tried shows a message: content cannot be displayed in a frame. then gives a link to display in new window, this launches a new tab and plays the video. I guess this could be a browser security settings for that box. edge had problems playing also, but shows a document square with no access/play symbol

Can you share the version of Chrome that plays the example video I linked?

In general, allowed origins relies on the browser passing the browser information so while it should work in most cases, it isn’t a fool-proof way to block “hot embedding” of the videos.

Have you considered using signed URLs? They require a little more work but are much more reliable in terms of restricting access.

from what I have seen a combination of firewall and other settings should work, but the online docs are not very helpful. the signed urls info looked promising but not really how to implement it is missing via the link created and where you do this.

I have created the front end to an application where 1 page has the embed code for the video selected . and I can restrict any and all videos to only play through that single page request, then I’m all ears.

naturally I want to stop hot linking as well as direct source view then grab the url string.

Got it! We are in the process of updating our signed URL docs so they are easier to follow. Here is how you’d implement it in a nutshell:

Step 1: Make sure the video has signed URL enabled
The setting will take a few minutes to go into effect. You can do this from the dashboard (or using the API):

Step 2: Generate a signing key in the Stream product
You can do this by making a POST request to https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/keys
Be sure to include your Cloudflare auth info in the headers

Step 3: Save the JSON response returned in Step 2
The response should look something like this:
sample-response

Step 4: Create a backend script that can use the key to generate playback tokens
You can see Worker demo code here: https://pastebin.pl/view/f28600e0

  • You must edit lines 3 (jwk key from the response in step three), line 4 (key ID from the response in step three) and line 5 (the video ID you’d like to allow viewing for).
  • Line 20 specifies when the token should expire
  • Lines 21-33 specify other restrictions (in this example, only viewers from the US would be able to watch the video using this token)

If you set up this worker script, it should output tokens that look similar to my demo URL: https://signedurl.zaid-stream-demo.workers.dev/

Step 5: Using the token to view videos
This is fairly straightforward: wherever a video ID is used, you would replace it with the token string returned in Step 4.

If you quickly want to test your token, you can also just visit https://watch.cloudflarestream.com/{your_token}

Not sure I understand how to do your steps 2-4. but I understand that the token that gets created is used in place of the actual filename and thus hides the filename from the browser. so a view source would still be able to use that url/token until that token expires. so you would have to get new tokens each month or some time period to minimize the accessibility of that video.

  1. so I would have to run steps 2-4 to generate a token for every video that I want to have, correct ?
  2. then I would have to get a new token for each video when I want to replace it…
  3. another question has come up, any changes that we make to the firewall would only be applied to the domain name / site. because stream uses videodelivery.net and is not touched by the firewall. correct?
  4. how do we prevent the hot linking of the videos? or is the token the only way to ‘somewhat’ protect the content allowing that link to be active for a short time?

This security component is the only thing holding me back in the deployment of our web component.

thanks for assisting.

Can you drop me a note at zaid at cloudflare.com so I can assist you with your specific use case?

ok, will send email in the morning. thanks.

got an email out to you today abt 1:30CST

[quote=“zaid, post:6, topic:217123”]
You can do this by making a POST request to https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/keys
Be sure to include your Cloudflare auth info in the headers

---- can you pls. provide a complete example of the curl command and importantly/specifically where you locate the ‘auth info’ and ‘account_id’. thanks.