2
votes

I am using HLS streaming with the Amazon S3 and Cloud Front using the JWplayer.(With Rails)

I used the Signed URL to encrypt the URL and created an Origin Access Identity as given in the Amazon Cloud Front documentation. The Signed URL's are generated fine.

I also have a 'crossdomain.xml' file in my bucket which is allowing all the origins(I have given '*') Now, when I am trying to play my Hls video files from my bucket, I am getting crossdomain access denied issue

I think JW Player is trying to access the 'crossdomain.xml' file without the signed hash. So, it's getting that error.

I have tested my file in demo JWplayer Stream tester and this is the error I am getting in console.

Fetch API cannot load http://xxxxxxxx.cloudfront.net/xxx/1/1m_test.ts. 

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://demo.jwplayer.com' is therefore not allowed access. The response had HTTP status code 403.

If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Here is the ScreenShot.

Here is the ScreenShot.

Please help me out. Thank You.

This is the link I followed to configure my CloudFront Distribution

1

1 Answers

2
votes

I just had the same problem (but with the Flowplayer). I am not sure yet about security risks (and if all steps are needed), but I got it running with:

  • adding permissions on the crossdomain.xml for everyone to open/download
  • adding a behaviour in the cloudfront distribution only for crossdomain.xml without restricting access (above the behaviour for * with restricted access)
  • and then I noticed that in the bucket, the link to the crossdomain.xml was something like "https://some-server.amazonaws.com/bucket.name/%1Fcrossdomain.xml" (notice the weird %1F) and that when I went on rename of the crossdomain.xml, I could delete one invisible character on first position of the name (I didn't make the crossdomain.xml, so I am not sure how this happened)

Edit: I had hlsjs also running with this and making the crossdomain.xml accessible somehow disabled the CORS request. I am still looking into this.