mahara-contributors team mailing list archive

Thread
Date

[Bug 1567208] Re: HTML5 videos on non-public pages can't play on LG Android 5.0 Chrome

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1567208@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Apr 2016 04:16:14 -0000
Reply-to: Bug 1567208 <1567208@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The only solution to this that I can think of, would be to allow for
URL-based authentication of videos in Mahara. In other words, when a
user visits a page (possibly only a user who we have sniffed is using an
affected mobile browser), instead of showing them the normal
download.php?id=X&view=X URL, we show them a download.php?token=X URL.
The token would be randomly generated as needed for each user, would
only be valid until the user's session ends, and would allow viewing of
the video in a way that bypasses the normal authentication process.

However... that would be a lot of work. And we'd need a cron job to
clean up old tokens for expired sessions.

Another possible way to mitigate this problem, is to detect when a video
is being requested for display via HTML5, and in those cases instead of
redirecting unauthorized users to the login page, we return an HTML
error page. We could make all the file-serving scripts behave in that
way all of the time... but that would be less friendly in the case of a
user who actually is trying to click on a download link for a file.
Similarly we could base it on whether the request includes a "Range:"
header (which a browser will normally only use when it's expecting a
large binary file), but again I don't think that's too reliable.

So maybe the best thing would be to add a flag to the URL that indicates
that the file is being requested for embedding rather than direct
download. We already do that for images embedded via TinyMCE, anyway.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1567208

Title:
HTML5 videos on non-public pages can't play on LG Android 5.0 Chrome

Status in Mahara:
Confirmed

Bug description:
I noticed this bug when trying to play HTML5 videos from Mahara, in my
phone (an LG G2 Mini, running ANdroid 5.0). Some videos worked fine;
others showed up as a black box. That is, JSPlayer would load it as if
the video's thumbnail was a black rectangle. It would show the "big
play button" indicating ready to play, and clicking that would cause
the player controls to display and then fade, as if a video was
successfully playing. But the play bar wouldn't move forward, and no
content would be displayed.

After poring through the server logs, it appears that what is
happening, is that Android Chrome doesn't actually request the media
files itself. Instead, it delegates this to the OS's mediaplayer
(called "stagefright" in stock Android), which makes the HTTP
requests. In my phone, LG has replaced stagefright with its own
program that has the user-agent "Player/LG Player 1.0 for ANdroid
5.0.2 (stagefright alternative)"

The bug appears to be that LG Player, when making these requests, does
*not* use the cookies from the current browser session. So the request
seems to be coming from a logged-out user. If the page of the video is
not public, Mahara responds to the request for download.php with a 303
redirect to the login page. The LG Player follows this redirect,
receives the HTML from the login page, and hands it back to Chrome as
if it were the video. Chrome then treats it as an invalid video file,
hence the blacked out player.

It seems there was a similar bug in stock Android (with Chrome and
stagefright), which may have only applied to cookies that were set to
"HttpOnly". See
https://code.google.com/p/android/issues/detail?id=66050 . That bug
was resolved over a year ago.

We do use the "HttpOnly" flag on our session cookie in Mahara.
However, this problem still occurred after I disabled HttpOnly, so it
looks like this is a separate issue, probably a bug in the LG Player.
(Which is not surprising, because phone manufacturers tend to be
pretty lax on fixing bugs in their customized Android distributions.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1567208/+subscriptions

References

[Bug 1567208] [NEW] HTML5 videos on non-public pages can't play on LG Android 5.0 Chrome
From: Aaron Wells, 2016-04-07