Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

Why is JW player accessed on a remote site ?

dlanordlanor Posts: 2,160Members, Plex Pass Plex Pass
Unacceptable demand for remote site script permission in local work
Like the topic title and description state, I am dissatisfied with the fact that even completely local use of the Plex/Web client/manager demands giving full script permissions to a remote site, in order to gain the ability for working video playback. This is really unacceptable.

The necessary player scripts/code should be embedded in the web server interface of PMS, not accessed from the remote site "jwpcdn.com".
Why should I trust them with total script control on my computers, especially when used in pure LAN access with no real need to access Internet ?
(ie: If anyone hacks their site, my computers are indirectly compromised whenever I use this client for playback, even of local media.)

This limitation also makes it impossible to use the Plex/Web client for playback on an offline LAN.

Best regards: dlanor

Comments

  • schuylerschuyler Plex Dev Team Posts: 3,787Members, Plex Employee, Plex Pass, Plex Ninja Plex Employee
    Good question!

    So, we're using JW Player for a variety of reasons. I'm not sure if those reasons are being questioned or not, but for now let's assume that that's a given. The actual player is part of the Plex/Web bundle, served by your PMS, not hosted on a remote server. However, that player insists on phoning home to do a license check. The request you're seeing to a JW Player CDN is to do that license check. And you're absolutely right that that license check being required means that playback in Plex/Web won't work when completely offline. That's a shame, and a great point, and something we'll look into.

    I'm not sure I follow regarding "full script permissions." Do you just mean that you need to allow the browser to run JavaScript from that domain? Do you normally use a script blocking setting/extension?
  • dlanordlanor Posts: 2,160Members, Plex Pass Plex Pass
    schuyler wrote:

    Good question!

    So, we're using JW Player for a variety of reasons. I'm not sure if those reasons are being questioned or not, but for now let's assume that that's a given.

    I'm not questioning the functionality of the player itself, but only of the remote script running demanded to allow the playback to work.

    The actual player is part of the Plex/Web bundle, served by your PMS, not hosted on a remote server. However, that player insists on phoning home to do a license check. The request you're seeing to a JW Player CDN is to do that license check.

    Surely such a check can be engineered to use only local scripts, rather than remote scripts. There's a huge difference security-wise.

    And you're absolutely right that that license check being required means that playback in Plex/Web won't work when completely offline. That's a shame, and a great point, and something we'll look into.

    Good. But if they really insist on a 'phone home' check for every invocation, then I guess there's no way around it. That rules out offline use...

    I'm not sure I follow regarding "full script permissions." Do you just mean that you need to allow the browser to run JavaScript from that domain?

    That's exactly what I mean, and giving such permission means that I entrust that site with my computers' security.

    Do you normally use a script blocking setting/extension?

    Yes I do. Doesn't everyone ? (They should !)
    I enable script permission only for sites that I trust.

    Possibly the JW Player site may be trustworthy, but I resent being forced to let them run remote scripts on my computer, when I'm using it for the purely local operation of letting one of my computers play media via the PMS server on another computer in the same LAN.

    I don't mind very much that they use a 'phone home' script locally.
    What I do mind is that they demand execution of a remote script, in order to allow playback.

    Best regards: dlanor
  • mike.chengmike.cheng Posts: 40Members, Plex Pass Plex Pass
    edited November 2012
    schuyler wrote:

    Good question!

    So, we're using JW Player for a variety of reasons. I'm not sure if those reasons are being questioned or not, but for now let's assume that that's a given. The actual player is part of the Plex/Web bundle, served by your PMS, not hosted on a remote server. However, that player insists on phoning home to do a license check. The request you're seeing to a JW Player CDN is to do that license check. And you're absolutely right that that license check being required means that playback in Plex/Web won't work when completely offline. That's a shame, and a great point, and something we'll look into.

    I'm not sure I follow regarding "full script permissions." Do you just mean that you need to allow the browser to run JavaScript from that domain? Do you normally use a script blocking setting/extension?



    I think this is what he means by "full script permissions":

    http://stackoverflow.com/questions/2113220/what-security-considerations-concerns-should-be-addressed-when-using-cdn-hoste
    http://stackoverflow.com/questions/129053/how-does-googles-javascript-api-get-around-the-cross-domain-security-in-ajax
    http://wonko.com/post/javascript-ssl-cdn (note: this site talks about ssl, but it applies without ssl too)

    Basically the issue is that we now have to trust that jwpcdn is safe. The player loads up this javascript file and executes it: https://ssl.p.jwpcdn.com/6/0/jwpsrv.js
    By using the player, we assume that no one will compromise their servers or that they wont inject code into your clients to steal information.
    It's not really an issue in this case since JWPlayer does seem trustworthy and is used on alot of big sites.
  • MarcFBRMarcFBR Posts: 56Members, Plex Pass Plex Pass
    dlanor, can you confirm the address it's dialing home to?

    I want to confirm this is the same thing I'm seeing.
  • dlanordlanor Posts: 2,160Members, Plex Pass Plex Pass
    MarcFBR wrote:

    dlanor, can you confirm the address it's dialing home to?

    I want to confirm this is the same thing I'm seeing.

    I was using the Firefox browser, with the NoScript add-on protecting against unauthorized script invocation.

    In order to make the Plex/Web playback work I then had to whitelist the site "jwpcdn.com".

    I don't recall the precise URL right now, but it probably was what mike.cheng described in his post.

    Best regards: dlanor
  • MarcFBRMarcFBR Posts: 56Members, Plex Pass Plex Pass
    dlanor wrote:

    I was using the Firefox browser, with the NoScript add-on protecting against unauthorized script invocation.

    In order to make the Plex/Web playback work I then had to whitelist the site "jwpcdn.com".

    I don't recall the precise URL right now, but it probably was what mike.cheng described in his post.

    Best regards: dlanor


    This appears to be something different then...

    I discovered an IP in it. I had originally believe I had somehow been malwared. But was able to confirm that wasn't the case, and that at random times a few other people had seen it also. So it appears to be a different issue (I to use NoScript and check it.)

    If you see 75.72.156.155 let me know would you?
  • dlanordlanor Posts: 2,160Members, Plex Pass Plex Pass
    MarcFBR wrote:

    This appears to be something different then...

    I discovered an IP in it. I had originally believe I had somehow been malwared. But was able to confirm that wasn't the case, and that at random times a few other people had seen it also. So it appears to be a different issue (I to use NoScript and check it.)

    If you see 75.72.156.155 let me know would you?
    I've made a note of that IP, but so far I haven't noticed anything like that. But then again, I haven't been searching web-page sources for it, so it may well have been embedded somewhere without me knowing. As long as it doesn't invoke scripts Firefox and NoScript would not call attention to it.

    Where/how did you notice it ?

    Best regards: dlanor
  • MarcFBRMarcFBR Posts: 56Members, Plex Pass Plex Pass
    dlanor wrote:

    I've made a note of that IP, but so far I haven't noticed anything like that. But then again, I haven't been searching web-page sources for it, so it may well have been embedded somewhere without me knowing. As long as it doesn't invoke scripts Firefox and NoScript would not call attention to it.

    Where/how did you notice it ?

    Best regards: dlanor


    Around the last Plex update I noticed Plex/Web wasn't loading properly, so I decided to check NoScript. Noticed it was in there. Plex/Web seems to work fine if it's allowed, but not at all if it'd blocked (which I have noscript set to do by default.)

    Someone in the chatroom went and had a look and didn't see it, but then saw it later, which at least confirmed it wasn't malware on my machine. At first it was decided it was the issue you were describing. Then I went to the player and noticed a jwplayer url show up. So it seemed to be something different. It doesn't seem to always show up though, and not everyone sees it.
  • TimdoggTimdogg Posts: 1Members, Plex Pass

    Hi, just wondering if folks were still seeing this problem?  Apparently it can be disabled by turning off jwplayer analytics.  There was a bug that even disabled, it would still call home. (http://developer.longtailvideo.com/trac/ticket/1815) but it has been fixed in the latest JWPlayer version.

    Just figured I would ask!

  • ericmatthysericmatthys Plex Employee Posts: 3,100Members, Plex Employee, Plex Pass Plex Employee
    Timdogg wrote on June 7 2013, 3:39 AM: »

    Hi, just wondering if folks were still seeing this problem?  Apparently it can be disabled by turning off jwplayer analytics.  There was a bug that even disabled, it would still call home. (http://developer.longtailvideo.com/trac/ticket/1815) but it has been fixed in the latest JWPlayer version.

    Just figured I would ask!

    Good find. I didn't realize that was a bug / is fixed now. I'll add this to the next update.

  • baxxobaxxo Posts: 25Members, Plex Pass Plex Pass

    I'm using PMS 0.9.9.12 and jwplayer analytics seems to be turned back on.

    At least I had to accept running scripts from jwpcdn.com to be aple to play something in my browser just now (not usually the player I use).

  • SopranoMomSopranoMom Posts: 1Members
    baxxo wrote on June 21 2014, 8:03 AM: »

    I'm using PMS 0.9.9.12 and jwplayer analytics seems to be turned back on.

    At least I had to accept running scripts from jwpcdn.com to be aple to play something in my browser just now (not usually the player I use)

    Before I fire up Plex on my new server, has this problem been fixed yet? And my thanks to Dlanor for bringing this up.

  • baxxobaxxo Posts: 25Members, Plex Pass Plex Pass
    SopranoMom wrote on January 22 2015, 6:55 PM: »

    Before I fire up Plex on my new server, has this problem been fixed yet? And my thanks to Dlanor for bringing this up.

    Unfortunately not. We really should get an option to opt out of this kind of tracking.

  • baxxobaxxo Posts: 25Members, Plex Pass Plex Pass
    ericmatthys wrote on June 7 2013, 1:17 PM: »

    Good find. I didn't realize that was a bug / is fixed now. I'll add this to the next update.

    Can you fix it again?

  • ericmatthysericmatthys Plex Employee Posts: 3,100Members, Plex Employee, Plex Pass Plex Employee

    We haven't changed anything on our end to re-enable analytics. It looks like disabling analytics now requires an enterprise license.

  • ericmatthysericmatthys Plex Employee Posts: 3,100Members, Plex Employee, Plex Pass Plex Employee

    Keep in mind that we are trying to move away from the Flash player and toward our own HTML-based player. Unfortunately, Firefox sticks out as a browser that does not have the capabilities necessary to support playback of transcoded videos without the Flash player. Chrome and IE11 should be able to use the HTML-based player in most circumstances.

  • ScottAliGatorScottAliGator Posts: 20Members ✭✭

    why are you running away from flash player, Silverlight player and instead run on jw player( which btw cancels full screen as soon as you go to the next video on the playlist so you have to endlessly go clicking full screen which when your trying to chill out in bed and just want to nod off and have to re enlarge screen every 20 mins to half an hour .....and find a way to get firefox to work! do you not want custom?) is it because google have removed silverlight and trying to remove flash and thought you would jump on the band wagon,i used to be a fan of google chrome to an absolute hater, they track you they stop you watching sky go and other movie and video streaming site what douche bags......don't do this, go back to where you were about 12 months ago where everything was compatible. wether it be .mkv not playing on windows 10 server (local or host) or removing flash player or all this transcoding crap put it back to direct streaming only and if you cannot watch it you only need install the specific video codec on that device, sort it out plex god damn it I used to pay for this service I don't anymore until you fix it, its garbage

  • dlanordlanor Posts: 2,160Members, Plex Pass Plex Pass

    @ScottAliGator:
    This thread was created to deal with one specific issue: The 'phone home' script requirements of 'JW Player' as used in the Plex/Web client. For more generic issues with the direction in which Plex Inc is aiming current development efforts you really should open a new thread, dedicated to those issues. Otherwise they are likely to dismiss your input as 'off topic'.

    Best regards: dlanor

Sign In or Register to comment.