-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protected music & video files get 401 on CSS even if authenticated #373
Comments
Presumably this is the line that needs to change: solid-panes/src/audio/audioPane.js Line 159 in 32b73b7
|
@josephguillaume yes I have created the https://github.com/SolidOS/solid-panes/tree/fetchMediaStreams branch |
I've never worked with ReadableStream before, so I might start by reading up and then see. Thanks! |
Found some documentation using
There is also |
Thanks. Everything I found so far was similarly involved. This one was the clearest but still ends up requiring specifying a codec, and the example uses split audio and video streams (hopefully not necessary!). I'm not sure I'll get to it today, so if the solution becomes clear to you, please do go ahead... The use of streams of variable quality was interesting too. I've already been thinking with slideshow that my photos are too large and take too long to load. Depending on bandwidth, the same concept applies to audio and video streaming. It'd be interesting to see what we can do about this, potentially even without server support. Definitely a new longer term issue though... |
Given how simple the audio tag is and how complex the Mediasource is, I wonder whether we should be using this bug to explore the comment: https://forum.solidproject.org/t/is-it-secure-for-pods-to-serve-html-files/6379/9 A currently possible client-side solution would involve temporarily granting public access to the resource. If we had server-side support to specify redirects (solid/specification#136) then we could issue a temporary unguessable url to provide a level of indirection/discourage linking directly to the resource. If we had server-side support to specify symlink-like behaviours within a pod, then the temporary URL could directly return the resource. To avoid completely public access, the server could support cookie or other built-in auth beyond the spec?? I.e. If solving this bug is urgent then maybe we just use the ACL solution. If it's not urgent, maybe we let the spec catch up? |
For the records
|
Another possible solution came up that I wasn't aware of: apparently a service worker could be used to provide authenticated fetch behaviour, and it reportedly at least works on img tags. A fair bit of work would be needed still for the databrowser to install the service worker, and I believe we'd also need to confirm a secure way to pass tokens or an authenticated fetch function from the main thread to the service worker. |
When you try to play misc files which need tyou to be logged in, CSS returns 401 error and the browwser does nothing about it. Just like the problem with images in IMG tags in the html.
eg fails:
https://timbl.com/timbl/Public/Test/Protected/Les_Hayden_-_01_-_Gift_Horse.mp3_.mp3
compare with public unprotected file does nt have the same problem
https://timbl.com/timbl/Public/Test/Music/Les%20Hayden/Proverbs/Les_Hayden_-_01_-_Gift_Horse.mp3_.mp3
The text was updated successfully, but these errors were encountered: