Embedded Link only for my use and not others

Hello,

is it possible to use an embedded link of a H5P element only for myself to integrate it into another website and prevent others to embed this element on their website?

Thanks in advance!

otacke's picture

Hi asfga!

If you have a server that you can configure yourself, then yes. You can set a so called "Content Security Policy" that allows you to define what other servers are allowed to embed content from yours (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).

An older approach that was at the mercy of browsers supporting it is using X-Frame Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) that also require server configuration.

Best,

Oliver 

Thank you very much, works very well.

otacke's picture

Glad you figured it out! That was certainly not easy, but you"re proof that solving those issues is possible without having step-by-step guides (which can hardly be given for all the possible scenarios) but with some useful links.

And thanks for saying thanks! 

Just one question: I checked it from my laptop and it worked but when checking it on my mobile phone the embedded frame is blocked. Do you know why this is?

otacke's picture

Nope, can't tell without knowing details.

I tried a few things out and searched a lot on Google but wasn't successful with it. So I will post some details, maybe it helps someone to answer the question:

In general it works in Firefox + Chrome, but Safari (not only on mobile) seems to have problems with the embedding iFrame. I set the following line in my .htaccess

Header set Content-Security-Policy: "frame-ancestors domain1 domain2/embed.php?id=1;"

In the browser console I receive the following error:

The source list for Content Security Policy directive 'frame-ancestors' contains a source with invalid path: '/embed.php?id=1'. The query component, including the "?" will be ignored. Refused to load domain2/embed.php?id=1 because it does not appear in the frame-ancestors directive of the Content Security Policy.

The URL for the video is with the query parameter part, without it I can't call the video page and I think that is what's happening here. I need to add the video URL to the htaccess but it doesn't allow it, so how am I supposed to configure this? :/