From April 25th onwards, when Chrome 58 is scheduled for release, DRM encrypted video streams served from a non-secure origin will no longer work in Google’s browser. The origin of the video and audio contents of the stream, of the manifest served to the client, as well as of the website from which the stream is served: they must all be secured if you want to successfully stream to Chrome.
This change dates back to February 2015, when Google announced its intent to deprecate the ‘insecure usage of powerful features’ in Chrome, in order to apply the concepts from W3C’s Secure Contexts specification. Since December of last year, it has been clear that Chrome’s use of the Extended Media Extensions (EME) API within non-secure environments would be disabled at the end of Q1 2017.
As the EME API enables the browser to play encrypted video natively, it’s possible that your streams wil no longer work in Chrome 58. This will be the case if they use DRM and if they are served from a non-secure origin. Soon, the same will happen in Firefox, as Mozilla has announced to implement similar changes to their browser.
Fortunately, most who are affected by these changes will have made the necessary changes by now. For those who have not, this blog post serves as a last-minute reminder.
To test whether your streams are affected, download the Chrome Beta (currently version 58). If you experience problems with your streams, you can do the following to make your video streams compatible, depending on the configuration of your video streaming setup.
To secure your website:
- Secure your website with a free to use Let’s Encrypt certificate by using Electronic Frontier Foundation’s certification bot. Having done that, don’t forget to force your website to be served through a HTTPS connection.
- To use the above solution, you’ll have to have shell access to the webserver that is hosting your website. If this is not the case, you can check if your host has integrated support for Let’s Encrypt.
- If you don’t have shell access and your web host doesn’t have integrated support for Let’s Encrypt either, you’ll have to rely on your host’s option to upload a certificate (which you can obtain by using the manual plugin of EFF’s bot).
To secure the origin of your content:
- Have your CDN secure the edge through which your video content is served (the easiest solution). Contact your CDN to find out whether that’s possible.
- If you don’t use a CDN or if securing the edge at your CDN isn’t feasible, secure your load balancer or cache layer. Like securing your website, this can be done by using EFF’s certification bot.
Do note that adding these layers of security may have an impact on performance, although it should be minimal.
Furthermore, in addition to the major change described above, there are a few other changes in Chrome 58 that will affect those who are streaming encrypted content. These changes could necessitate changes to the implementation of your player. This .pdf-document from Google summarizes the changes and describes some best practices that show how you can deal with them.