0

I have a video player on this site http://aiskacang.com/crawl/pseudo.html

The player loads a flv video file seeon.flv from another domain. Currently, even without a crossdomain.xml in the server where seeon.flv is located, the video is loaded fine. This is not the behavior I want or expect it to be.

I also tried putting a crossdomain.xml with the following content:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="none"/>
</cross-domain-policy>

From firebug, I could see that there's a request to the crossdomain.xml before accessing the video file (seeon.flv). It returns the content fine , with the Content-type of application/xml, but it still allow the cross domain behavior.

Any idea ?

yingfan
  • 1
  • 1
  • 1
  • Possible duplicate. http://stackoverflow.com/questions/5211846/is-flash-cross-domain-useless – uncaught_exceptions Apr 12 '11 at 06:13
  • Thanks for the link. But 2 things. 1: There is still no explanation for the poster's 1st issue, on why the 1st scenario fails to play. 2: Why the flash player loads crossdomain.xml for a media then ? – yingfan Apr 12 '11 at 06:22

2 Answers2

0

To protect your Jwplayer from cross domain file injection there is not built-in options, crossdomain.xml would not help you.

You can try to deny remote content injection with server rules in .htaccess http://www.masterdef.net/blog/jwplayer-crossdomain-remote-video-injection/#more-32

### Deny SWPlayer remote files access
########## Begin - File injection protection
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
########## End - File injection protection
XPS
  • 140
  • 1
  • 5
0

It sounds like you may be confusing the use of crossdomain policies. Disallowing crossdomain access doesn't prevent content from being loaded and displayed. It just limits access between content from different domains after the target has been loaded and displayed. For example, if A.swf loads B.swf, A will be unable to call methods inside B. But B will still get loaded.

It sounds like what you want is hotlinking protection, which is normally done at the webserver level. (That is, you make a rule in Apache/IIS/etc. on the FLV's server to prevent it from being served to other domain's pages.)

fenomas
  • 11,131
  • 2
  • 33
  • 57
  • I am aware of hotlinking. The problem with hotlinking, is that jwplayer does not send HTTP referrer. That will cause the video fail to load even within the same domain. More importantly, I will need to provide a whitelist for crossdomain access – yingfan Apr 12 '11 at 08:18
  • I see. I'm afraid I don't know whether there's a way to get hotlinking to work with JWP, but anyway I hope it's clear why the video plays. To answer your comment above about why Flash loads the policy for video files, as far as I know it does that with all external loads, and I think there are still cases where the policy will come into play. E.g. if the loading SWF tries to draw the loaded FLV into a BitmapData, it shouldn't work unless crossdomain access is allowed (not 100% sure though). – fenomas Apr 12 '11 at 09:09