I'd like to allow anyone to play a video located in my s3 on my site as the src
on a <video>
tag but not allow people to use it as a src
on their site or to play the video directly by typing the url into the browser bar.
I don't want people doing this:
and I don't want the following HTML to appear on http://your-site.com but only on http://my-site.com:
<html>
<video src="https://s3.amazonaws.com/my-bucket/my-video.mp4"></video>
</html>
I've seen some SO links on this but I wanted to talk in code since I haven't been able to make these solutions work for me.
Here's my bucket policy that is currently NOT working:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://my-site.com/*"
]
}
}
}
}
Two questions:
http://localhost/test.html
. Why isn't my bucket policy preventing this? (I'd only want it to work from http://my-site.com/test.html
)To be more clear, my files are stored on s3 but they are delivered by Amazon's CloudFront. So my CloudFront url src is currently media.my-site.com/my-video.mp4. The CNAME being media.my-site.com.
Given that CloudFront currently does not let you directly restrict access (to the best of my understanding), I would do something like:
<video src="/media.php?v=my-video.mp4"></video>
Then your media.php
file looks like:
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != 'my-site.com')
{
header('HTTP/1.1 503 Hot Linking Not Permitted');
// display some message / image / video
exit;
}
# this base url changes from time to time
$url = 'http://cdn.my-site.com';
header("Location: $url/{$_GET['v']}");
To make it less obvious, you may want to set up a rewrite to route /media/my-video.mp4
into the file. That way, it doesn't look like there is an intermediate PHP script.
Exactly how you do the referrer check depends on the level of security you want. Some people disable referrers, so you may want to allow empty ones. Or you could even check to see if a session variable or cookie exists, etc.
Of course, the end user will be able to sniff out the real URL. This is why you may want to change your CNAME from time to time.
This solution is hopefully good enough to discourage people from abusing your site, but is by no means perfect.