Hide from source the media URL

Somewhere the path is going to be shared. Even if a relative path. There are utilities that can grab all the resources in the page (one such utility is built right into safari). If you want to lock down a file what about using private files?

I get to following error with the latest dev:
jplayer mori$ git apply -v hide-direct-link-1046744-16.patch

hide-direct-link-1046744-16.patch:19: trailing whitespace.
      $attributes['oncontextmenu'] = "return false;"; //Custom Code
hide-direct-link-1046744-16.patch:28: trailing whitespace.
      $playlist[] = l($file['label'], '#', array('attributes' => array('id' => $player_id . '_item_' . $num, 'tabindex' => 1, 'onclick' => '<?php drupal_goto($file["url"]) ?>;')));  //Custom Code
hide-direct-link-1046744-16.patch:37: trailing whitespace.
      $playlist[] = l($file['label'], '#', array('attributes' => array('id' => $player_id . '_item_' . $num, 'tabindex' => 1, 'onclick' => '<?php drupal_goto($file["url"]) ?>;')));  //Custom Code
Checking patch includes/jplayer.theme.inc...
warning: includes/jplayer.theme.inc has type 100755, expected 100644
error: while searching for:
      if ($i == $num_items - 1) {
        $attributes['class'][] = 'last jp-playlist-last';
      }
      $output .= '<li' . drupal_attributes($attributes) . '>' . $data . "</li>\n";
    }
    $output .= "</$type>";

error: patch failed: includes/jplayer.theme.inc:86
error: includes/jplayer.theme.inc: patch does not apply

Reactivating.

I agree this feature request is important. Currently one can easily elicit the URL from the page source (using say Firebug or another web inspector) and as long as somebody has access rights to the page they can download the video, even if it is in the private filesystem. It is easy to pull the video src URL from the <video> tag.

For the sake of demonstration, I don't mind if people test "breaking" this live on this file:

http://drupal7demo.webel.com.au/system/files/mevideo/ooe-demo-netbeans-i...

That file was uploaded to the private filesystem and into a subfolder .../files/private/mevideo under .htacess protection, using a File field for display with MediaElement.

It is easy to load the video file directly in any browser or just pull it by URL with 'curl' or 'wget'.

I don't have any suggestions for solutions, however it is quite a serious media security/protection problem.

BTW MediaFront does no better in this respect, it also offer direct access by URL to private filesystem videos.

I'm moving this issue the 8.x branch. I had a client with this same request, although in my experience this isn't fully possible for a few reasons:

• The source has to come from somewhere. I've moved the source into drupalSettings, which temporarily obscures the file. But if you know where to look, it's still findable.
• Even with the source not initially in the markup, once you set it with setSrc(), the library adds it to the markup anyway making obfuscation somewhat pointless. I've seen this same behavior with JWPlayer's HTML5 player as well.

I'm not 100% certain this is a feature that makes sense in this project, as a full solution feels very outside the realm of this project's scope. But I know there's an appeal to a lot of clients, so it's worth further discussion.

Now that private files are a thing, is this even needed any more?

Setting the 'upload destination' on the video file's field (you'll probably need to create a new media type to be able to set it) to 'private' got me to the destination the OP seemed to want.