Prevent HTML5 video from being downloaded (right-click saved)?
How can I disable "Save Video As..." from a browser's right-click menu to prevent clients from downloading a video?
Are there more complete solutions that prevent the client from accessing a file path directly?
You can't. That's because that's what browsers were designed to do: Serve content. But you can make it harder to download.
First thing's first, you could disable the contextmenu
event, aka "the right click". That would prevent your regular skiddie from blatantly ripping your video by right clicking and Save As. But then they could just disable JS and get around this or find the video source via the browser's debugger. Plus this is bad UX. There are lots of legitimate things in a context menu than just Save As.
You could also use custom video player libraries. Most of them implement video players that customize the context menu to your liking. So you don't get the default browser context menu. And if ever they do serve a menu item similar to Save As, you can disable it. But again, this is a JS workaround. Weaknesses are similar to the previous option.
Another way to do it is to serve the video using HTTP Live Streaming. What it essentially does is chop up the video into chunks and serve it one after the other. This is how most streaming sites serve video. So even if you manage to Save As, you only save a chunk, not the whole video. It would take a bit more effort to gather all the chunks and stitch them using some dedicated software.
Another technique is to paint <video>
on <canvas>
. In this technique, with a bit of JavaScript, what you see on the page is a <canvas>
element rendering frames from a hidden <video>
. And because it's a <canvas>
, the context menu will use an <img>
's menu, not a <video>
's. You'll get a Save Image As instead of a Save Video As.
You could also use CSRF tokens to your advantage. You'd have your sever send down a token on the page. You then use that token to fetch your video. Your server checks to see if it's a valid token before it serves the video, or get an HTTP 401. The idea is that you can only ever get a video by having a token which you can only ever get if you came from the page, not directly visiting the video url.
At the end of the day, I'd just upload my video to a third-party video site, like YouTube or Vimeo. They have good video management tools, optimizes playback to the device, and they make efforts in preventing their videos from being ripped with zero effort on your end.
This is a simple solution for those wishing to simply remove the right-click "save" option from the html5 videos
$(document).ready(function(){
$('#videoElementID').bind('contextmenu',function() { return false; });
});
Yes, you can do this in three steps:
- Place the files you want to protect in a subdirectory of the directory where your code is running.
www.foo.com/player.html
www.foo.com/videos/video.mp4 -
Save a file in that subdirectory named ".htaccess" and add the lines below.
www.foo.com/videos/.htaccess
#Contents of .htaccess RewriteEngine on RewriteCond %{HTTP_REFERER} !^http://foo.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.foo.com/.*$ [NC] RewriteRule .(mp4|mp3|avi)$ - [F]
Now the source link is useless, but we still need to make sure any user attempting to download the file cannot be directly served the file.
-
For a more complete solution, now serve the video with a flash player (or html canvas) and never link to the video directly. To just remove the right click menu, add to your HTML:
<body oncontextmenu="return false;">
The Result:
www.foo.com/player.html will correctly play video, but if you visit www.foo.com/videos/video.mp4:
Error Code 403: FORBIDDEN
This will work for direct download, cURL, hotlinking, you name it.
This is a complete answer to the two questions asked and not an answer to the question: "can I stop a user from downloading a video they have already downloaded."
Simple answer,
YOU CAN'T
If they are watching your video, they have it already
You can slow them down but can't stop them.
The best way that I usually use is very simple, I fully disable context menu in the whole page, pure html+javascript:
<body oncontextmenu="return false;">
That's it! I do that because you can always see the source by right click.
Ok, you say: "I can use directly the browser view source" and it's true but we start from the fact that you CAN'T stop downloading html5
videos.