When users access embedded content from within third-party services or applications, there is a need for the content provider to verify that the playback originated from an approved third-party service or application. Currently, content providers rely on the easily spoofable HTTP referrer information to check the name of the third-party from which a user is accessing embedded content. This disclosure describes a public key cryptography based simple mechanism for trusted third parties to provide first-party content providers with cryptographically signed referrer information that is non-spoofable and hard to replay. A cryptographic key pair is utilized by the content provider and by the third-party application or service. Requests for playing embedded content that originate from third-party applications are encrypted with the public key of the content provider and signed by the third-party service or application. The techniques enable provision of embedded content playback in third-party apps and allow content providers to ensure that embedded content playback is only available to authorized services and apps.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Isles, Adrian; Tran, Thomas; and Puranik, Kashyap Ramesh, "Embedded Content Playback Authorization Using Cryptographically Signed Referrers", Technical Disclosure Commons, (July 20, 2021)