Video upload blocked by governments in some countries

The domain used by Cloudflare Stream to upload videos is being blocked by some governments as a result of copyright infringement. The Internet censorship is becoming a common tool for certain governments to solve disputes on content rights.

Although I only tested the Tus uploads functionality (called by Cloudflare Direct creator uploads), This might be impacting other Cloudflare Stream uploading services.

The problem Cloudflare Stream customers are facing is that some governments do not have the technical knowledge to understand what domains to block, and sometimes the domains being blocked are used by other customers, and maybe even other services. As a result, those services cease to work in the blocking countries. The impact this is having in businesses in those countries that rely on those Cloudflare services might be devastating.

At the moment of writing this post, the domain upload.videodelivery.net is blocked in Spain at least for customers using Jazztel/Orange, an Internet provider with a 22%+ market quota in Spain (as of April, 2023). This effectively means that 22% of Internet users in Spain are not being able to upload videos to any services using Clouflare Stream with Direct creator uploads.

It seems Spain has started to enforce this kind of bans as precautionary measures and without the need of a legal trial. This creates an extremely volatile scenario for startups and developers, who cannot be sure their services will be working tomorrow if their user market is aimed at a country where this kinds of bans are so common.

How to know if you’re being impacted

In spain, when a domain is blocked, all requests to it will return the following HTML page:


<META HTTP-EQUIV="Pragma" CONTENT="no-cache">

<META HTTP-EQUIV="Expires" CONTENT="-1">

<html>Contenido bloqueado por requerimiento de la Autoridad Competente, comunicado a esta Operadora</html>

Note the message “Contenido bloqueado por requerimiento de la Autoridad Competente, comunicado a esta Operadora”, which means: “Content blocked at the requirement of the Competent Authority, as communicated to this Operator”

Because the request to the domain is being intercepted, when requesting via SSL a certificate error is shown.

To check if you’re being blocked, just visit upload.videodelivery.net in your browser using the Internet provider you suspect is being enforcing the blockage and look for the message above.

A mitigation solution

I found that changing the domain upload.videodelivery.net to upload.cloudflarestream.com solves the current issue, even though that domain is not the domain that should be used to perform uploads to Cloduflare Stream as per the current documentation.

This is, of course, just a temporary solution, as new domains might be blocked in the future by other government enforcements.

In order for this trick to work, this domain rewriting must be done to the URL returned in the Location header by the /stream?direct_user=true Cloudflare API, as documented here: Direct creator uploads · Cloudflare Stream docs

Following the example in the documentation, this line:


const destination = response.headers.get('Location');

Should be changed to:


const destination = response.headers.get('Location').replace('upload.videodelivery.net', 'upload.cloudflarestream.com');

A proposed short-term solution for Cloudflare

I propose a solution to Cloudflare to more reliably prevent government domain bans from impacting other users of Cloudflare Stream using Direct creator uploads:

Right now the domain hosting the Tus server for Direct creator uploads is upload.videodelivery.net, and is the same for all customers. If, instead, a unique domain including the customer code were to be used, government blocks could be performed only for the specific cloudflare clients that are infringing the copyright law.

This is already the case when a video in Cloudflare Stream is being embedded using Cloudflare’s stream player (Use the Stream Player · Cloudflare Stream docs):


<iframe

src="https://customer-<CODE>.cloudflarestream.com/<VIDEO_UID>/iframe"

style="border: none"

height="720"

width="1280"

allow="accelerometer; gyroscope; autoplay; encrypted-media; picture-in-picture;"

allowfullscreen="true"

></iframe>

In this case, the domain customer-<CODE>.cloudflarestream.com is used. Because this domain is unique for each Cloudflare customer, the block would not affect other customers.

Of course, if the government decides to block the entire cloudflarestream.com second-level domain, this solution would also fail.

A proposed long-term solution for Cloudflare

To further prevent this problem in those cases, a subdomain in a customer-owned domain could be set up to be used in all its Cloudflare Stream operations. This would also get rid of all CORS-related issues some customers seem to be having when integrating Cloudflare Stream.

I can see, however, how this would be difficult to implement, since the Cloudflare Stream service is an account-wide service not tied to any specific domain in the customer’s account.

Hope this helps. Thank you.

2 Likes

Thanks for the feedback and suggestion!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.