Asset protection through Domain control

As of version 2022.3.0, Wedia allows you to limit the embedding of a media asset to a specific set of websites or domains.

This feature can be used to restrict embedding to your own domain and subdomains (e.g. *.mycompany.com) or to a specific domain (e.g. https://futureproducts.mycompany.com). It's worth noting that this feature can be used independently of media tokenization, although combining the two can provide additional protection.

How is this protection working?

To implement this feature, Wedia uses a combination of Content Security Policy (CSP) headers, X-Frame-Options headers, and server detection of the referer to try to limit the embedding of a player on most modern browsers.

CSP headers are used by recent browsers like Firefox, Chrome, Safari, and Edge, while the X-Frame-Options header is used in conjunction with referer protection to deal with older browsers like Internet Explorer.

There are two main use cases for this feature:

Option 1 : General domain limitation for all assets

applying a global limitation to all assets, or limiting the embedding of specific assets. In the simple use case, you can use the "CSPAllowedAncestors" parameter in the MediaCloud customer config to specify the domains or websites where embedding is allowed. This can be a single hostname, a specific subdomain, or multiple rules separated by spaces. Please contact your account manager to set it up:

Limit embedding to one hostname : http://www.acme.com
Limit embedding on the same host and only whith https : https://www.acme.com
Limit to any subdomain : *.acme.com
Limit to any https subdomain : https://*.acme.com
We can have multiple rules separated by spaces : https://site1.acme.com https://site2.acme.com

Option 2 : Limit embedding per asset

For a finer grained authorization, you have the flexibility to implement specific rules for each asset. For example, you may only want to allow private assets to be embedded on a single website, or you may want to set different CSP rules for different assets. You can also allow certain "known embedding rules" to be applied by asset contributors. This use case requires more steps to set up, but it gives project managers greater control over the embedding of their assets.

This use - case needs some steps because it gives more room to projects managers to implement any kind of rule :

Only private assets could be limited to a single website.
We could set any CSP rule on each asset.
We could allow some “known embedding rule” to asset contributors

Whatever the use case, the steps are the same :

Define a new DAMDY Behaviour on a project or modify an existing one by setting the “evp.behaviours” on WXM_DAMDY plugin.

2. Implement the following method in your groovy file

When you create a new behaviour, the groovy code generated for you have some sample code to uncomment to quickly implement your own use case.

import java.util.Collections
import java.util.Set
import java.util.stream.Collectors


(...)

/**
     * Return a list of domains authorized to embed a player for a media.
     *
     * Some examples of supported return values :
     * <ul>
     *   <li>'self' : Allow onlye direct play from MediaCloud ( no iframe )</li>
     *   <li>www.myonwebsite.com : Allow embedding on www.myownwebsite.com whatever the scheme ( http or https)</li>
     *   <li>https://www.myonwebsite.com : Allow embedding on www.myownwebsite.com accessed through https only</li>
     *   <li>*.acme.com : Allow embedding on any subdomain of acme.com ( ex : www.acme.com, site-b.acme.com ou site-a.acme.com</li>
     * </ul>
     *

     * @param asset The asset to play
     *
     * @return null ou {@link Collections#EMPTY_SET} : no limit set.
     * @since 2022.3.0
     **/
    Set<String> getAllowedDomains(IObjectReadOnly asset) {
        //return Collections.EMPTY_SET;
        // The following code can be used to implement this feature by creating an object with some urls patterns
        // and attach it to assets with an childmulti field names 'allowedDomains'
        Logger logger = LoggingService.getLogger("applicatif");
        logger.debug("getAllowedDomains for " + asset);
        Set<String> result = Collections.EMPTY_SET;
        if( asset.getCTObjectStructure().isExistField("alloweddomains")) {
            result = asset.getChildren(asset.getCTObjectStructure().getField("alloweddomains"))
                    .stream()
                    .map((o) -> o.getProperty("name").toString())
                    .collect(Collectors.toSet());
        } else {
            result = super.getAllowedDomains(asset);
        }
        logger.debug("==> result : " + result);
        return result;
    }

3. Deliver your plugin config and the created san file on your DAM.