As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 584480 - Referrer header missing from video (and audio) requests
: Referrer header missing from video (and audio) requests
Status: RESOLVED FIXED
[sg:want] server dos-prevention
:
Product: Core
Classification: Components
Component: Audio/Video (show other bugs)
: Trunk
: x86 All
: -- major (vote)
: ---
Assigned To: cajbir (:cajbir)
:
: Maire Reavy [:mreavy] Please needinfo me
Mentors:
http://jsbin.com/izari3/2
Depends on:
Blocks: referer
  Show dependency treegraph
 
Reported: 2010-08-04 13:11 PDT by Remy Sharp
Modified: 2010-09-16 13:30 PDT (History)
8 users (show)
benjamin: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
wanted
wanted
wanted


Attachments
Send Referer header with media requests (3.56 KB, patch)
2010-08-11 18:02 PDT, cajbir (:cajbir)
roc: review+
Details | Diff | Splinter Review
Test that referer is sent (3.66 KB, patch)
2010-09-15 12:44 PDT, cajbir (:cajbir)
no flags Details | Diff | Splinter Review
Test that referer is sent (4.40 KB, patch)
2010-09-15 16:57 PDT, cajbir (:cajbir)
roc: review+
Details | Diff | Splinter Review
Rolled up and rebased patch (6.30 KB, patch)
2010-09-16 10:38 PDT, cajbir (:cajbir)
cajbir.bugzilla: review+
Details | Diff | Splinter Review

Description User image Remy Sharp 2010-08-04 13:11:12 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

All http in the browser send a referrer header, except the new video, source and audio elements.  This means that we can't prevent someone from hotlinking the content from a site by using a simple referral check technique.

This recently took down my server because a very high traffic site was linking directly to the video and the server couldn't cope.  I should have been able to prevent it from continuing by preventing hotlinking, but there's no referrer header being sent (all other headers are fine).  Opera does this correctly and sends the headers.

The result was I had to remove the video entirely from http://html5demos.com/video

Reproducible: Always

Steps to Reproduce:
Run this HTML and inspect the request headers in Firebug - a plain image and script are there for reference:

<!DOCTYPE html> 
<title>video refer test</title> 
<body>
<img src="image-for-reference" /> 
<video src="video-via-src-attribute"></video> 
<video> 
  <source src="video-via-src-element"></source> 
</video> 
<script src="script-for-reference"></script>
</body>
Actual Results:  
No referrer headers on the video, but we do have them on the image and script.

Expected Results:  
Correct referrers for media elements.
Comment 1 User image Daniel Veditz [:dveditz] 2010-08-11 15:53:24 PDT
This is a valid bug and an important anti-abuse feature as described above.
Comment 2 User image cajbir (:cajbir) 2010-08-11 18:02:51 PDT
Created attachment 465058 [details] [diff] [review]
Send Referer header with media requests
Comment 3 User image Robert O'Callahan (:roc) (email my personal email if necessary) 2010-08-11 18:28:32 PDT
Comment on attachment 465058 [details] [diff] [review]
Send Referer header with media requests

Could use a test
Comment 4 User image cajbir (:cajbir) 2010-09-15 12:44:08 PDT
Created attachment 475592 [details] [diff] [review]
Test that referer is sent

For the test I have an sjs that checks the referer. If it exists then it returns a video otherwise it returns a 404.
Comment 5 User image Robert O'Callahan (:roc) (email my personal email if necessary) 2010-09-15 13:38:14 PDT
The test is only going to work if Ogg is enabled. I think you could take the filename as a query parameter in the URL, then the test JS can select a file name that's supported and pass that to the sjs.
Comment 6 User image cajbir (:cajbir) 2010-09-15 13:40:26 PDT
Yeah I did it this way because we took the same approach in another bug after discussion that we always have ogg enabled in our test machines.
Comment 7 User image cajbir (:cajbir) 2010-09-15 13:51:10 PDT
I'll change it to not need any specific backend.
Comment 8 User image cajbir (:cajbir) 2010-09-15 16:57:52 PDT
Created attachment 475705 [details] [diff] [review]
Test that referer is sent

Changes test to iterate through one of the manifest list of files, looks for only those we can play and tests referer on them.
Comment 9 User image cajbir (:cajbir) 2010-09-16 10:38:11 PDT
Created attachment 475898 [details] [diff] [review]
Rolled up and rebased patch

Rolled up patch and rebased to trunk. Carried r+ forward.

Note You need to log in before you can comment on or make changes to this bug.