Closed Bug 1607336 Opened 6 years ago Closed 5 years ago

DRM videos as served on https://www.maxdome.de don't play in Firefox on Linux (Mint)

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: whimboo, Unassigned)

Details

I got a report that requesting a video as protected with DRM on https://www.maxdome.de/ doesn't work when using Firefox on Linux (in this case Mint 19). Trying to play such content end-up with the following failure:

Beim Lizenzabruf für das Video ist ein Fehler aufgetreten. Bitte lade die Seite neu und versuche es erneut."

In English:

There was failure when trying to retrieve a license for the video. Please reload the page and try it again.

Important is that it works just fine on that platform when using a Chromium based browser.

Thankfully I got a HAR file from the reporter, and it shows a 400 response for the POST request to:

https://prosieben.live.ott.irdeto.com/widevine/getlicense?CrmId=prosieben&AccountId=prosieben&ContentId=986215&SessionId=xyz&Ticket=xyz

Inside the Post data I can see the following data:

architecture_name x86-64
company_name Google
model_name	ChromeCDM
platform_name Linux
widevine_cdm_version  4.10.1196.02

The rest of the data is encrypted.

Headers of the request:

Host: prosieben.live.ott.irdeto.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3831.6 Safari/537.36
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://astore.maxdome.de/
Content-Length: 1744
Origin: https://store.maxdome.de
DNT: 1
Connection: keep-alive

The user agent looks strange, which is maybe a left over from emulating different ones over the couple of months just to get the playback working. Maybe it might be related? I asked to reset it, and to try again.

Requesting with the wrong UA string could result in broken behavior - interested to see what happens when they identify as Firefox.

When the Widevine CDM generates a license request it is exposed to the site via a JS event, the site is then responsible for shipping that information to the license server and returning a response to Firefox. I.e.

Widevine CDM and Firefox <-> Site <-> License Server

What happens in the exchange between the site and the license server is typically a mystery to the user agent aside from information provided via error messages. In extreme cases the error received may not correctly reflect the issue (as the site generates the message).

The request created by the CDM will identify the OS the CDM is hosted on. It also contains information on if Widevine and the browser are signed, and Widevine do not sign the Linux CDM. My initial thought was that the site could be blocking non-signed CDMs which excludes all Linux Widevine usage, but this is not the case since Chrome works. It's possible the site gets grumpy at the UA and the Widevine license request not matching and refuses to give back a license.

It might take up to the next weekend until we could get a response if it works with the reverted user agent string.

One more thing, which comes into my mind, does Linux Mint maybe build their own Firefox that is not signed? Given Bryce's feedback this could also be the reason. I will request to test with an official Linux build as we offer for download.

(In reply to Henrik Skupin (:whimboo) [⌚️UTC+1] from comment #4)

It might take up to the next weekend until we could get a response if it works with the reverted user agent string.

One more thing, which comes into my mind, does Linux Mint maybe build their own Firefox that is not signed? Given Bryce's feedback this could also be the reason. I will request to test with an official Linux build as we offer for download.

It can't hurt to try an official build. Since Widevine don't include a signature for their shared object on Linux (even in Chrome), my understanding is that the validation process will never pass for any browser on Linux -- there isn't a "browser validated but Widevine not validated" state we could reach via an official build that distro builds would not. However, we've seen problems in the past where custom builds would set flags that trigger the validation code in cases where it's undesirable (such as in the Linux context). This can be problematic due to the (unintuitive) feature that validation without signatures results in a more severe state than simply not validating.

I just tested myself to play some DRM protected videos on Linux Mint 19.3 with the default installation of Firefox (71.0) and that works just fine at least for Amazon Prime Video. Also by forcing the strange User Agent string the video still keeps running fine.

So I would assume this is really a webcompat issue with MaxDome. Sadly I don't have an account there myself.

Note that MaxDome will reach its end of life this summer as reported by various tech sites like Golem.

As such I don't think that there is anything we should do on this bug anymore.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.