← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #34005

[Bug 1567208] [NEW] HTML5 videos on non-public pages can't play on LG Android 5.0 Chrome

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I noticed this bug when trying to play HTML5 videos from Mahara, in my
phone (an LG G2 Mini, running ANdroid 5.0). Some videos worked fine;
others showed up as a black box. That is, JSPlayer would load it as if
the video's thumbnail was a black rectangle. It would show the "big play
button" indicating ready to play, and clicking that would cause the
player controls to display and then fade, as if a video was successfully
playing. But the play bar wouldn't move forward, and no content would be
displayed.

After poring through the server logs, it appears that what is happening,
is that Android Chrome doesn't actually request the media files itself.
Instead, it delegates this to the OS's mediaplayer (called "stagefright"
in stock Android), which makes the HTTP requests. In my phone, LG has
replaced stagefright with its own program that has the user-agent
"Player/LG Player 1.0 for ANdroid 5.0.2 (stagefright alternative)"

The bug appears to be that LG Player, when making these requests, does
*not* use the cookies from the current browser session. So the request
seems to be coming from a logged-out user. If the page of the video is
not public, Mahara responds to the request for download.php with a 303
redirect to the login page. The LG Player follows this redirect,
receives the HTML from the login page, and hands it back to Chrome as if
it were the video. Chrome then treats it as an invalid video file, hence
the blacked out player.

It seems there was a similar bug in stock Android (with Chrome and
stagefright), which may have only applied to cookies that were set to
"HttpOnly". See https://code.google.com/p/android/issues/detail?id=66050
. That bug was resolved over a year ago.

We do use the "HttpOnly" flag on our session cookie in Mahara. However,
this problem still occurred after I disabled HttpOnly, so it looks like
this is a separate issue, probably a bug in the LG Player. (Which is not
surprising, because phone manufacturers tend to be pretty lax on fixing
bugs in their customized Android distributions.)

** Affects: mahara
     Importance: Low
         Status: Confirmed

** Changed in: mahara
    Milestone: None => 16.04.0

** Changed in: mahara
   Importance: Undecided => Low

** Changed in: mahara
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1567208

Title:
  HTML5 videos on non-public pages can't play on LG Android 5.0 Chrome

Status in Mahara:
  Confirmed

Bug description:
  I noticed this bug when trying to play HTML5 videos from Mahara, in my
  phone (an LG G2 Mini, running ANdroid 5.0). Some videos worked fine;
  others showed up as a black box. That is, JSPlayer would load it as if
  the video's thumbnail was a black rectangle. It would show the "big
  play button" indicating ready to play, and clicking that would cause
  the player controls to display and then fade, as if a video was
  successfully playing. But the play bar wouldn't move forward, and no
  content would be displayed.

  After poring through the server logs, it appears that what is
  happening, is that Android Chrome doesn't actually request the media
  files itself. Instead, it delegates this to the OS's mediaplayer
  (called "stagefright" in stock Android), which makes the HTTP
  requests. In my phone, LG has replaced stagefright with its own
  program that has the user-agent "Player/LG Player 1.0 for ANdroid
  5.0.2 (stagefright alternative)"

  The bug appears to be that LG Player, when making these requests, does
  *not* use the cookies from the current browser session. So the request
  seems to be coming from a logged-out user. If the page of the video is
  not public, Mahara responds to the request for download.php with a 303
  redirect to the login page. The LG Player follows this redirect,
  receives the HTML from the login page, and hands it back to Chrome as
  if it were the video. Chrome then treats it as an invalid video file,
  hence the blacked out player.

  It seems there was a similar bug in stock Android (with Chrome and
  stagefright), which may have only applied to cookies that were set to
  "HttpOnly". See
  https://code.google.com/p/android/issues/detail?id=66050 . That bug
  was resolved over a year ago.

  We do use the "HttpOnly" flag on our session cookie in Mahara.
  However, this problem still occurred after I disabled HttpOnly, so it
  looks like this is a separate issue, probably a bug in the LG Player.
  (Which is not surprising, because phone manufacturers tend to be
  pretty lax on fixing bugs in their customized Android distributions.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1567208/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next