Hello,
I am working on getting my ZC set up for digital video delivery that use DRM protection. I figured out how to securely deliver the video and the license, but I have one question about the only potential security hole I see.
How it is set up:
I went into attributes and assigned 2 downloads to the digital goods product, one is the actual WMV file and the other is the license, which I made as an html file with the code from vidlock. Both files are uploaded into my server's /download directory. Then - this is the important part - I encrypted this html page with html guardian, so the source code can't be seen and so it cannot be opened on a user's local machine if they download the html license file. If the html file is offline, or not located on my site's webserver, it just shows up blank.
Then on the order conf page, the customer gets 2 downloads, first the file, after that completes they download the license. On the WMV file they should right click the download button and 'save as', but on the license they must just click and open the html. This gives them a page I made with the license button, which installs the license (behind the scenes it is requesting and installing the license from a 3rd party). The license source html code an't be seen, and if you save the page to your HDD, it can't be opened.
The ONLY hole I see now in the security for this - and maybe it isn't a worry b/c the link to the license html file SHOULD expire after 3 days (don't know yet, it's first day testing), is that when they open the license page, it shows the (temporary created) web address of this license file html on my server.
If I copy that link location, close the browser, then restart a new browser, paste the link, it again pulls up the (working) license code. But, am I right - this should just be the temporary link that will expire? Or not? It's not a direct link to my /downloads directory, but with many random characters as a directory.
Is is possible to change some of the code on the "DOWNLOAD" button on the order confirmation page, so that if it opens an html window (page), it appears without the address bar info? But how would it know the DOWNLOAD button was for a license and needs to do this? Because that button should exhibit normal behavior for other file types, only opening a new window without address bar in the case of an html file.
So my only thought/worry now,and I don't think this can be done, is - is it possible to add code to the d/l button, .js code, to open the window , like
window.open(URL_of_new_window,window_handle,"toolbar=no,location=no,status=no,me nubar=no,scrollbars=no")
I don't think u can, b/c that button is just a (temporary) link to the file, in this case an html file, not a function button to open a new window.
So if anyone has any idea how I can have them click download for the license, then open the html file in a browser window with no address/location bar visible, that would be great!!!
Cheers,
Patrick



