[vlc-devel] [PATCH 08/10][RFC][WIP] cloudstorage: access: custom-made html pages to the http server responses (personalized for VLC)

Rémi Denis-Courmont remi at remlab.net
Thu Aug 17 19:43:46 CEST 2017 

Le torstaina 17. elokuuta 2017, 13.18.03 EEST Diogo Silva a écrit :
> If those pages were simply success / error messages, they could be hosted
> somewhere else than localhost.

Simple pages are better "hosted" on file:///...

> In this case, I simply cannot web-host those scripts somewhere else than
> localhost, otherwise, it will simply break the security (for AmazonS3,
> OwnCloud and Mega.Nz).

There are several problems with hosting on localhost.

The first somewhat trivial problem is that VLC httpd has no support for 
dynamically opening a passive port on loopback.

But the bigger problems are with shipping the assets inside VLC:
- adding/updating/removing a service needs to wait for a new VLC version,
  - including changing any public application identifiers,
  - also including localization updates,
- origin cannot be a registered domain, if the service requires it,
- origin cannot be HTTPS, likewise,
- private (server-side) application identifers cannot be used, likewise,
- maybe copyright or trademark issues too,
(- impossibility to insert service announcement or advertisement)

> It runs localhost in order to retrieve the credentials and create a proper
> request that is sent to the respective servers.

The only thing that "localhost" affect is the web origin determined by the web 
engine. And localhost seems more likely to cause than solve problems there.

Of course, we need a way to supply data back to the VLC process - and a web 
socket with VLC as the server side would seem like the best architectural fit 
there. But that´s an entirely orthogonal issue to how/where the web assets are 
hosted.

> I'm not sure I understood what you meant with "some services just refuse to
> work if accessed from localhost", but any type of services did refuse and
> it can be used to authenticate.

I mean exactly that. Some services can refuse to work if the origin is
http://localhost (or file://).

-- 
雷米‧德尼-库尔蒙
https://www.remlab.net/

More information about the vlc-devel mailing list