example I see many pages creating an m3u file and hosting but if you try to paste address in the browser to download the file the page redirects without downloading or showing the file to another page. this is done in php pages
example I see many pages creating an m3u file and hosting but if you try to paste address in the browser to download the file the page redirects without downloading or showing the file to another page. this is done in php pages
What happens is that the call checks the REFERER , according to wikipedia:
The referer, or HTTP referer (erroneously written as a referer in the official HTTP specifications and standardized so since1), is an HTTP header field that identifies the web page address (ie the URI or IRI) that links to the resource being requested. By checking the referer, the new web page can see where the request originated. (In short: knowing where the user came from, ie what page he was that sent to his site).In the most common situation, this means that when a user clicks a hyperlink in a web browser, the browser sends a request to the server that stores the destination web page. The request includes the referer field, which indicates the last page the user was on (the one he clicked on the link).
Referer logging is used to allow web sites and web servers to identify where people are visiting for promotional or statistical purposes.
This means that when a user clicks on a link, from a web browser, the browser sends a request to the server that contains the landing page. The request includes the referrer information, informing the page that the user was previously.
For detail, suppose you have a page / site called http://exemplo.com/pagina.html
and on this page there is a player:
<object classid="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
type="application/x-oleobject">
<param name="fileName" value="musicas.m3u">
<embed type="application/x-mplayer2"
pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
src="musicas.m3u">
</object>
When the player calls the file musicas.m3u
, this request will receive something like:
GET /musicas.m3u HTTP/1.1
Host: exemplo.com
Connection: keep-alive
Cache-Control: max-age=0
Referer: exemplo.com/pagina.html
See Referer: exemplo.com/pagina.html
detects that the call came from exemplo.com/pagina.html
.
But if you copy the playlist address and try to open http://exemplo.com/musicas.m3u
directly, the browser will send the request in this way:
GET /musicas.m3u HTTP/1.1
Host: exemplo.com
Connection: keep-alive
Cache-Control: max-age=0
See that we do not have REFERER now.
You can use PHP, but if your files are static (they are not generated by .php pages, they are real files called .m3u
) you can use .htaccess
to prevent access from failing to have REFERER (this is called direct), this will also prevent other sites from using your .m3u on external pages, saving traffic from your site, this technique is called prevent hotlink
or stop hotlink
.
Create a file in the root folder (if using Apache) and add this (you also need to prevent caching):
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?exemplo.com [NC]
RewriteRule \.m3u$ - [NC,F,L] #NC é para case-insensitive
<FilesMatch "\.(?i:m3u)$">
FileETag None
<IfModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</IfModule>
</FilesMatch>
If you call any file .m3u
through the url of the browser or another site it will block the access, showing the error 403
, if opened by the player it will open the file normally.
But if your .m3u
file is actually a .php
file, create a file named playlist.php
and add this:
<?php
$g = gmdate('D, d M Y H:i:s');
header('Expires: ' . $g . ' GMT');
header('Last-Modified: ' . $g . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', false);
header('Pragma: no-cache');
$parsed = empty($_SERVER['HTTP_REFERER']) ? false : parse_url($_SERVER['HTTP_REFERER']);
if (false === empty($parsed['host']) && $parsed['host'] !== 'exemplo.com') {
header('Content-Type: audio/x-mpegurl'); //Aplica o mimetype necessário para o player reconhecer o arquivo que é gerado dinamicamente
echo file_get_contents('arquivo.m3u');//Lê o seu arquivo
} else {
echo 'Hot link';
}
And you should call it like this:
<object classid="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
type="application/x-oleobject">
<param name="fileName" value="playlist.php">
<embed type="application/x-mplayer2"
pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
src="playlist.php">
</object>
If called by the player the file .php
generates the playlist used file_get_contents
, if it is called by the browser url or another site it will show the following error Hot link
.
Although this technique helps to protect, everything can be circumvented and really this is only a prevention, but it is not 100% safe, a simple way to circumvent is to inject the .m3u
link in the site page using javascript browser console) and clicking the link is likely to be able to download.
If you are using Apache
server, you can restrict file access to a DOMAIN or IP by creating a .htaccess
file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?seudominio [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?seudominio.*$ [NC]
RewriteRule \.(m3u|mp3)$ - [F]