December 29, 2014

Cross-domain policy and access control in Nimble Streamer

Protecting web clients against vulnerabilities is one of the core features for safe web browsing. This is why popular platforms use various mechanisms to improve the security. This also includes video playback scenarios. Typically it's covered cross-origin resource sharing (CORS) mechanisms. Nimble Streamer needs to handle those cases.

Cross-domain policy file


For instance, many web media players use the "crossdomain.xml" file. It's a cross-domain policy file which gives the player permission to talk to servers other than the one it's hosted on.

As per Adobe, a cross-domain policy file is an XML document that grants a web client permission to handle data across multiple domains. When a client hosts content from a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain would need to host a cross-domain policy file that grants access to the source domain, allowing the client to continue with the transaction.

Nimble Streamer allows specifying this file content. It is done via configuration file located at /etc/nimble/nimble.conf . Please refer to Nimble config file format for more details.

Use the following parameter to specify the domain within the XML file:
crossdomain_xml_allow_access_from_domain = <your.domain>
E.g. crossdomain_xml_allow_access_from_domain = wmspanel.com

If you'd like to define complete file content, you can create crossdomain.xml with XML based on Adobe's spec examples, like this:
<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*" secure="false"/></cross-domain-policy>
Once it's ready, save it to local directory and point Nimble to it via crossdomain_xml parameter:
crossdomain_xml = /etc/nimble/crossdomain.xml
The file content will be returned to a client as soon as it's requested.

Cross-origin resource sharing


Another technique is cross-origin resource sharing. Players may require Access-Control-Allow* headers in server responses. You can use the following parameters for that:
access_control_allow_origin = <some value>
access_control_allow_credentials = <some value>
access_control_expose_headers = <content-length>
access_control_allow_headers = <some value>
Some of possible values are
access_control_allow_origin = *
access_control_allow_credentials = true
access_control_expose_headers = 2459768
access_control_allow_headers = Range
or
access_control_allow_origin = http://your.domain.com
You may refer to W3C to get more details.


Important
: to apply config changes, please re-start Nimble instance by running:
sudo service nimble restart

Please read more about config file format here.

P2P streaming


You can also see example of CORS headers usage in the StreamRoot P2P streaming article featuring Nimble Streamer.


Related documentation


Nimble StreamerNimble Streamer APINimble Streamer configurationNimble Streamer performance tuning, SSL support for HLS, DASH, Icecast and MPEG-TS streaming,

No comments:

Post a Comment