The only solution to this that I can think of, would be to allow for URL-based authentication of videos in Mahara. In other words, when a user visits a page (possibly only a user who we have sniffed is using an affected mobile browser), instead of showing them the normal download.php?id=X&view=X URL, we show them a download.php?token=X URL. The token would be randomly generated as needed for each user, would only be valid until the user's session ends, and would allow viewing of the video in a way that bypasses the normal authentication process.
However... that would be a lot of work. And we'd need a cron job to clean up old tokens for expired sessions. Another possible way to mitigate this problem, is to detect when a video is being requested for display via HTML5, and in those cases instead of redirecting unauthorized users to the login page, we return an HTML error page. We could make all the file-serving scripts behave in that way all of the time... but that would be less friendly in the case of a user who actually is trying to click on a download link for a file. Similarly we could base it on whether the request includes a "Range:" header (which a browser will normally only use when it's expecting a large binary file), but again I don't think that's too reliable. So maybe the best thing would be to add a flag to the URL that indicates that the file is being requested for embedding rather than direct download. We already do that for images embedded via TinyMCE, anyway. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1567208 Title: HTML5 videos on non-public pages can't play on LG Android 5.0 Chrome Status in Mahara: Confirmed Bug description: I noticed this bug when trying to play HTML5 videos from Mahara, in my phone (an LG G2 Mini, running ANdroid 5.0). Some videos worked fine; others showed up as a black box. That is, JSPlayer would load it as if the video's thumbnail was a black rectangle. It would show the "big play button" indicating ready to play, and clicking that would cause the player controls to display and then fade, as if a video was successfully playing. But the play bar wouldn't move forward, and no content would be displayed. After poring through the server logs, it appears that what is happening, is that Android Chrome doesn't actually request the media files itself. Instead, it delegates this to the OS's mediaplayer (called "stagefright" in stock Android), which makes the HTTP requests. In my phone, LG has replaced stagefright with its own program that has the user-agent "Player/LG Player 1.0 for ANdroid 5.0.2 (stagefright alternative)" The bug appears to be that LG Player, when making these requests, does *not* use the cookies from the current browser session. So the request seems to be coming from a logged-out user. If the page of the video is not public, Mahara responds to the request for download.php with a 303 redirect to the login page. The LG Player follows this redirect, receives the HTML from the login page, and hands it back to Chrome as if it were the video. Chrome then treats it as an invalid video file, hence the blacked out player. It seems there was a similar bug in stock Android (with Chrome and stagefright), which may have only applied to cookies that were set to "HttpOnly". See https://code.google.com/p/android/issues/detail?id=66050 . That bug was resolved over a year ago. We do use the "HttpOnly" flag on our session cookie in Mahara. However, this problem still occurred after I disabled HttpOnly, so it looks like this is a separate issue, probably a bug in the LG Player. (Which is not surprising, because phone manufacturers tend to be pretty lax on fixing bugs in their customized Android distributions.) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1567208/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
