HTML视频上的安全错误加载字幕
因此,我在HTML5视频上遇到了一些带有字幕的意外行为。
我将视频 +字幕文件存储在Google Cloud Storage上,并且有一个网络界面来观看电影。
我的服务器生成了电影和字幕文件的签名URL。电影播放正常,我可以使用URL查看字幕文本内容。但是,使用< track>不起作用:
<track label="my_subtitle_file" src="my_signed_url" srclang="en" kind="subtitles">
在firefox中,我有一个错误:
Security Error: Content at <my site> may not load data from <signed GCS url>
在chrome中,我会遇到一个略有不同的错误,但我想是同样的问题:
Unsafe attempt to load URL <signed GCS URL> from frame with URL <my site>.
Domains, protocols and ports must match.
我想我可以在我的后端上制作包装器端点,该端点获取文件的内容并为其提供服务。但是我想知道,还有另一种方法吗?为什么&lt; track&gt;节点具有这种严重的限制?
编辑
我在GCS存储桶中添加了CORS策略:
[
{
"origin": ["https://my-domain.com"],
"responseHeader": ["Content-Type"],
"method": ["GET"],
"maxAgeSeconds": 3600
}
]
在GCS控制台上,我也尝试删除“防止公共访问设置”。不过,我并没有将文件公开(我仍然需要需要预先签名的URL),但是GCS似乎有点Wierd,因为您可以在不实际公开的情况下转动“防止公共访问”。
so I'm encountering some unexpected behavior with subtitles on an HTML5 video.
I am storing my video + subtitles files on Google Cloud Storage and I have a web interface to watch the movies.
My server generates signed URLs for the movie and subtitle files. The movies play fine, and I can view the subtitle text content using the URL. However, using the <track> does not work:
<track label="my_subtitle_file" src="my_signed_url" srclang="en" kind="subtitles">
In Firefox I get an error:
Security Error: Content at <my site> may not load data from <signed GCS url>
In Chrome I get a slightly different error, but I imagine it's the same problem:
Unsafe attempt to load URL <signed GCS URL> from frame with URL <my site>.
Domains, protocols and ports must match.
I suppose I could make a wrapper endpoint on my backend, which fetches the content of the file and serves it. But I am wondering, is there another way? And why do <track> nodes have this severe restriction?
edit
I added a CORS policy to the GCS bucket:
[
{
"origin": ["https://my-domain.com"],
"responseHeader": ["Content-Type"],
"method": ["GET"],
"maxAgeSeconds": 3600
}
]
On the GCS Console I also tried removing the "prevent public access setting". I didn't make the files public though (I still want to require presigned URLs), but it seems GCS is kinda wierd in that you can turn of "prevent public access" without actually making it public.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为此用例设置COR是不够的,因为有些浏览器甚至没有尝试提出HTTP请求来加载字幕。
因此,要加载来自外部域的字幕您需要:
crossorigin =“匿名”属于您的&lt; video&gt;标签。Setting up CORS for this use case is not enough because some browsers are not even trying to make HTTP request to load subtitles.
So to load subtitles from the external domain you need to:
Access-Control-Allow-Origin: *)crossorigin="anonymous"attribute to your<video>tag.