xhr.withCredentials value not used by SegmentBaseLoader.js

Created by: rolfboom

I can provide more information if needed. We are testing private streams with restricted access and I don't have a public site at the moment.

Environment

• The MPD passes the DASH-IF Conformance Tool on http://dashif.org/conformance.html
• The stream has correct Access-Control-Allow-Origin headers (CORS)
• There are no network errors such as 404s in the browser console when trying to play the stream (this is exactly where the bug occurs, we get a 403 because of xhr.withCredentials not set)
• The issue observed is not mentioned on https://github.com/Dash-Industry-Forum/dash.js/wiki/FAQ
• The issue occurs in the latest reference client on http://dashif.org/reference/players/javascript/ and

• Link to playable MPD file: -
• Dash.js version: 2.3.0
• Browser name/version: Chrome 54.0.2840.71/ Firefox 47.0.1
• OS name/version: Windows 10

Setup

• S3 Bucket with CORS settings
• Cloudfront with restricted access (signed Cookies)
• dash.js 2.3.0 is loaded and player.setXHRWithCredentials(true); is set

Observed Behaviour with restricted access turned on

Screenshot

• The .mpd-playlist is requested by XHRLoader.js, Cloudfront cookies are sent and response is okay
• CORS preflight OPTIONS requests for segments are made by SegmentBaseLoader.js and return okay
• GET requests for the segments are automatically made but cookies are not sent and Cloudfront returns 403 (SegmentBaseLoader.js doesn't use the xhr.withCredentials value)

Observed Behaviour with restricted access turned off

Screenshot

• The .mpd-playlist is requested by XHRLoader.js, Cloudfront cookies are sent and response is okay
• CORS preflight OPTIONS requests for segments are made by SegmentBaseLoader.js and return okay
• GET requests for the segments are automatically made but cookies are not sent. This returns okay now because restricted access by cloudfront is turned off
• OPTIONS and GET requests for ranges of the dash.stream are made by XHRLoader.js, cookies are sent with the GET requests as expected

Conclusion and quickfix

So somehow only the first requests made by the SegmentBaseLoader.js does not check if player.setXHRWithCredentials(true) was set. Requests made by the XHRLoader.js checks this. By adding request.withCredentials = true; right before request.send, I could quickfix this. If I just used the player terribly wrong, please let me know.

Screenshot with custom quickfix and restricted access on

• now cookies are sent for those first GET requests and video can be played