Hacker News new | ask | show | jobs
by amarshall 1034 days ago
Article has no body for me. Site appears to use an iframe whose src expects the Referer header to be sent, but I have `network.http.referer.XOriginPolicy = 1`set in FF about:config to reduce cross-origin leakage, so no Referer is sent.
1 comments
array-species 1034 days ago
Great point. It is using cloudflare stream.

https://developers.cloudflare.com/stream/viewing-videos/usin...

Open to any recomendations for alternative as i too am quite displeased with the state of such things. But still prefer it to YouTube.

I believe the media server is set to reqire referer to prevent embeding on alternative origins.

link
amarshall 1034 days ago
Seems to be https://developers.cloudflare.com/stream/viewing-videos/secu.... Probably can be disabled and replaced with short-lived signed tokens. Though perhaps CloudFlare could have used [more modern iframe restrictions][1].

[1]: https://w3c.github.io/webappsec-csp/#frame-ancestors-navigat...

link