Jump to content


Photo

Why is JW player accessed on a remote site ?


  • Please log in to reply
10 replies to this topic

#1 dlanor

dlanor

    Rock Star

  • Members
  • PipPipPipPipPip
  • 886 posts
  • Location: Stockholm, Sweden

Posted 20 November 2012 - 11:46 PM

Like the topic title and description state, I am dissatisfied with the fact that even completely local use of the Plex/Web client/manager demands giving full script permissions to a remote site, in order to gain the ability for working video playback. This is really unacceptable.

The necessary player scripts/code should be embedded in the web server interface of PMS, not accessed from the remote site "jwpcdn.com".
Why should I trust them with total script control on my computers, especially when used in pure LAN access with no real need to access Internet ?
(ie: If anyone hacks their site, my computers are indirectly compromised whenever I use this client for playback, even of local media.)

This limitation also makes it impossible to use the Plex/Web client for playback on an offline LAN.

Best regards: dlanor

#2 schuyler

schuyler

    Plex Dev Team

  • Plex Employee
  • PipPipPipPipPipPip
  • 3338 posts

Posted 21 November 2012 - 12:45 AM

Good question!

So, we're using JW Player for a variety of reasons. I'm not sure if those reasons are being questioned or not, but for now let's assume that that's a given. The actual player is part of the Plex/Web bundle, served by your PMS, not hosted on a remote server. However, that player insists on phoning home to do a license check. The request you're seeing to a JW Player CDN is to do that license check. And you're absolutely right that that license check being required means that playback in Plex/Web won't work when completely offline. That's a shame, and a great point, and something we'll look into.

I'm not sure I follow regarding "full script permissions." Do you just mean that you need to allow the browser to run JavaScript from that domain? Do you normally use a script blocking setting/extension?

#3 dlanor

dlanor

    Rock Star

  • Members
  • PipPipPipPipPip
  • 886 posts
  • Location: Stockholm, Sweden

Posted 21 November 2012 - 01:36 AM

Good question!

So, we're using JW Player for a variety of reasons. I'm not sure if those reasons are being questioned or not, but for now let's assume that that's a given.

I'm not questioning the functionality of the player itself, but only of the remote script running demanded to allow the playback to work.

The actual player is part of the Plex/Web bundle, served by your PMS, not hosted on a remote server. However, that player insists on phoning home to do a license check. The request you're seeing to a JW Player CDN is to do that license check.

Surely such a check can be engineered to use only local scripts, rather than remote scripts. There's a huge difference security-wise.

And you're absolutely right that that license check being required means that playback in Plex/Web won't work when completely offline. That's a shame, and a great point, and something we'll look into.

Good. But if they really insist on a 'phone home' check for every invocation, then I guess there's no way around it. That rules out offline use...

I'm not sure I follow regarding "full script permissions." Do you just mean that you need to allow the browser to run JavaScript from that domain?

That's exactly what I mean, and giving such permission means that I entrust that site with my computers' security.

Do you normally use a script blocking setting/extension?

Yes I do. Doesn't everyone ? (They should !)
I enable script permission only for sites that I trust.

Possibly the JW Player site may be trustworthy, but I resent being forced to let them run remote scripts on my computer, when I'm using it for the purely local operation of letting one of my computers play media via the PMS server on another computer in the same LAN.

I don't mind very much that they use a 'phone home' script locally.
What I do mind is that they demand execution of a remote script, in order to allow playback.

Best regards: dlanor

#4 mike.cheng

mike.cheng

    Member

  • Members
  • PipPip
  • 40 posts

Posted 21 November 2012 - 04:34 AM

Good question!

So, we're using JW Player for a variety of reasons. I'm not sure if those reasons are being questioned or not, but for now let's assume that that's a given. The actual player is part of the Plex/Web bundle, served by your PMS, not hosted on a remote server. However, that player insists on phoning home to do a license check. The request you're seeing to a JW Player CDN is to do that license check. And you're absolutely right that that license check being required means that playback in Plex/Web won't work when completely offline. That's a shame, and a great point, and something we'll look into.

I'm not sure I follow regarding "full script permissions." Do you just mean that you need to allow the browser to run JavaScript from that domain? Do you normally use a script blocking setting/extension?



I think this is what he means by "full script permissions":

http://stackoverflow...using-cdn-hoste
http://stackoverflow...ecurity-in-ajax
http://wonko.com/pos...ascript-ssl-cdn (note: this site talks about ssl, but it applies without ssl too)

Basically the issue is that we now have to trust that jwpcdn is safe. The player loads up this javascript file and executes it: https://ssl.p.jwpcdn.com/6/0/jwpsrv.js
By using the player, we assume that no one will compromise their servers or that they wont inject code into your clients to steal information.
It's not really an issue in this case since JWPlayer does seem trustworthy and is used on alot of big sites.

#5 MarcFBR

MarcFBR

    Member

  • Members
  • PipPip
  • 48 posts

Posted 21 November 2012 - 11:30 PM

dlanor, can you confirm the address it's dialing home to?

I want to confirm this is the same thing I'm seeing.

#6 dlanor

dlanor

    Rock Star

  • Members
  • PipPipPipPipPip
  • 886 posts
  • Location: Stockholm, Sweden

Posted 22 November 2012 - 01:18 AM

dlanor, can you confirm the address it's dialing home to?

I want to confirm this is the same thing I'm seeing.

I was using the Firefox browser, with the NoScript add-on protecting against unauthorized script invocation.

In order to make the Plex/Web playback work I then had to whitelist the site "jwpcdn.com".

I don't recall the precise URL right now, but it probably was what mike.cheng described in his post.

Best regards: dlanor

#7 MarcFBR

MarcFBR

    Member

  • Members
  • PipPip
  • 48 posts

Posted 22 November 2012 - 08:21 AM

I was using the Firefox browser, with the NoScript add-on protecting against unauthorized script invocation.

In order to make the Plex/Web playback work I then had to whitelist the site "jwpcdn.com".

I don't recall the precise URL right now, but it probably was what mike.cheng described in his post.

Best regards: dlanor


This appears to be something different then...

I discovered an IP in it. I had originally believe I had somehow been malwared. But was able to confirm that wasn't the case, and that at random times a few other people had seen it also. So it appears to be a different issue (I to use NoScript and check it.)

If you see 75.72.156.155 let me know would you?

#8 dlanor

dlanor

    Rock Star

  • Members
  • PipPipPipPipPip
  • 886 posts
  • Location: Stockholm, Sweden

Posted 22 November 2012 - 07:47 PM

This appears to be something different then...

I discovered an IP in it. I had originally believe I had somehow been malwared. But was able to confirm that wasn't the case, and that at random times a few other people had seen it also. So it appears to be a different issue (I to use NoScript and check it.)

If you see 75.72.156.155 let me know would you?

I've made a note of that IP, but so far I haven't noticed anything like that. But then again, I haven't been searching web-page sources for it, so it may well have been embedded somewhere without me knowing. As long as it doesn't invoke scripts Firefox and NoScript would not call attention to it.

Where/how did you notice it ?

Best regards: dlanor

#9 MarcFBR

MarcFBR

    Member

  • Members
  • PipPip
  • 48 posts

Posted 23 November 2012 - 07:23 AM

I've made a note of that IP, but so far I haven't noticed anything like that. But then again, I haven't been searching web-page sources for it, so it may well have been embedded somewhere without me knowing. As long as it doesn't invoke scripts Firefox and NoScript would not call attention to it.

Where/how did you notice it ?

Best regards: dlanor


Around the last Plex update I noticed Plex/Web wasn't loading properly, so I decided to check NoScript. Noticed it was in there. Plex/Web seems to work fine if it's allowed, but not at all if it'd blocked (which I have noscript set to do by default.)

Someone in the chatroom went and had a look and didn't see it, but then saw it later, which at least confirmed it wasn't malware on my machine. At first it was decided it was the issue you were describing. Then I went to the player and noticed a jwplayer url show up. So it seemed to be something different. It doesn't seem to always show up though, and not everyone sees it.

#10 Timdogg

Timdogg

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 07 June 2013 - 03:39 AM

Hi, just wondering if folks were still seeing this problem?  Apparently it can be disabled by turning off jwplayer analytics.  There was a bug that even disabled, it would still call home. (http://developer.lon...rac/ticket/1815) but it has been fixed in the latest JWPlayer version.

 

Just figured I would ask!



#11 ericmatthys

ericmatthys

    Plex Employee

  • Plex Employee
  • PipPipPipPipPipPip
  • 2422 posts
  • Location: Denver

Posted 07 June 2013 - 01:17 PM

Hi, just wondering if folks were still seeing this problem?  Apparently it can be disabled by turning off jwplayer analytics.  There was a bug that even disabled, it would still call home. (http://developer.lon...rac/ticket/1815) but it has been fixed in the latest JWPlayer version.

 

Just figured I would ask!

 

Good find. I didn't realize that was a bug / is fixed now. I'll add this to the next update.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users