Shaka Player using incorrect encoding for + plus symbol %20 space instead of %2B in parameters

[desertwindy]

** yes i have read Have you read the FAQ and checked for duplicate open issues?

If the problem is related to FairPlay, have you read the tutorial? not related to drm but url encoding and decoding problem

What version of Shaka Player are you using?

latest 4.14.14

Can you reproduce the issue with our latest release version? yes

Can you reproduce the issue with the latest code from main? yes

Are you using the demo app or your own custom app?

https://cdn.jsdelivr.net/npm/[email protected]/dist/shaka-player.ui.min.js

https://cdn.jsdelivr.net/npm/[email protected]/dist/controls.min.css

If custom app, can you reproduce the issue using our demo app? yes

What browser and OS are you using? tried with chrome firefox and edge

For embedded devices (smart TVs, etc.), what model and firmware version are you using? no

What are the manifest and license server URIs? https://dai.google.com/ssai/event/yeYP86THQ4yl7US8Zx5eug/master.m3u8 (CORS enable for akamaized.net with Indian IP VPN)

What did you do? JW plays smooth but shaka dont

What did you expect to happen? if my m3u8 was correct then jw should not be playing also but its working excellently

What actually happened? described in detail below

Follow this process to experience the issue yourself

CORS should be enabled Use Indian IP or India Location VPN

this issue manily occurs in akamaized links as they how they use their session id parameter

first play https://dai.google.com/ssai/event/yeYP86THQ4yl7US8Zx5eug/master.m3u8 in jw player (Cors enable and indian ip or vpn)

(CORS enabled because it wont play without CORS, i used https://mybrowseraddon.com/access-control-allow-origin.html this extension for playing this stream and used Choose a value for Access-Control-Allow-Origin (* or ORIGIN). used * instead of origin in its options)

or you can use hlsjs website link instead of JW player https://hlsjs.video-dev.org/demo/?src=https%3A%2F%2Fdai.google.com%2Fssai%2Fevent%2FyeYP86THQ4yl7US8Zx5eug%2Fmaster.m3u8

open dev tools you will see in network tab master_108.m3u8 or some master_224, 412, 664, 900, 1300, 2000, 3500 .m3u8 which shows their video resolution

suppose we pick master_3500.m3u8 https://sony247channels.akamaized.net/hls/live/2011747-b/TEN1HD/hdntl=exp=1749361337~acl=%2f*~id=c7011ca4-d345-44f5-9bc7-a0f1225b8bc0~data=hdntl~hmac=803596ac99b3a8eb87f81a62b3e3b3691458c31c3611fa35296127dbb3a5c322/master_3500.m3u8?aka_me_session_id=AAAAAAAAAAC5IkVoAAAAAHugU06feeiYbUzJzbPH9d3UIflHbyxtO5sTcf0F5MJ9Jjl9iX6qxaF14NjCvhjyQHmg+Z94gJNW&aka_media_format_type=hls&originpath=/linear/hls/pb/event/yeYP86THQ4yl7US8Zx5eug/stream/693fffb1-745c-4aaa-8a94-482b6ffa1393:TPE2/variant/edbac99ec611d03d37ffab7b990a62ef/bandwidth/4571600.m3u8

now copy this url

now play this copied url in JW player or play in https://hlsjs.video-dev.org/demo/ website it will play smoothly and will never show any error

now try to play this url in shaka player it will load the the first segment correctly and play but when moving to next it will not load because the url is encoded incorrectly internally by shaka player

the url i give above will be used in subsequently in other players but in shaka it willl slightly changed e.g. aka_me_session_id= in that which will give error as akamai exact session id

https://sony247channels.akamaized.net/hls/live/2011747-b/TEN1HD/hdntl=exp=1749361337~acl=/*~id=c7011ca4-d345-44f5-9bc7-a0f1225b8bc0~data=hdntl~hmac=803596ac99b3a8eb87f81a62b3e3b3691458c31c3611fa35296127dbb3a5c322/master_3500.m3u8?aka_me_session_id=AAAAAAAAAAC5IkVoAAAAAHugU06feeiYbUzJzbPH9d3UIflHbyxtO5sTcf0F5MJ9Jjl9iX6qxaF14NjCvhjyQHmg%20Z94gJNW&aka_media_format_type=hls&originpath=/linear/hls/pb/event/yeYP86THQ4yl7US8Zx5eug/stream/693fffb1-745c-4aaa-8a94-482b6ffa1393:TPE2/variant/edbac99ec611d03d37ffab7b990a62ef/bandwidth/4571600.m3u8

this will not load and give 403 error from akamai server look at this aka_me_session_id= it is changed like + plus symbol changed to space %20 instead of %2B which we didnt want it remains same in other players but not in shaka

good thing is sometimes when aka_me_session_id does not conatin special characters then it plays smooth in shaka player also. so main problem most probably is how shaka treats special characcters in parameters, other players use as it is like hlsjs and jw but shaka dont

• Other proof that it is caused by that special character plus + symbol is that when playing url, it loads the first segment correctly beccause in the first time it play is not coded in percentage coding so it plays but when it request second segment m3u8, you will see that speacial characcter + plus symbol is changed to percent encoding into %20 instead %2B so it will cause error but it will not happen in hlsjs or jw

• Other proof https://sony247channels.akamaized.net/hls/live/2011747-b/TEN1HD/hdntl=exp=1749361337~acl=/*~id=c7011ca4-d345-44f5-9bc7-a0f1225b8bc0~data=hdntl~hmac=803596ac99b3a8eb87f81a62b3e3b3691458c31c3611fa35296127dbb3a5c322/master_3500.m3u8 if we play only this url and remove paramter ? percent altogether, shaka will also play smooth

• Other proof https://sony247channels.akamaized.net/hls/live/2011747-b/TEN1HD/hdntl=exp=1749361337~acl=/*~id=c7011ca4-d345-44f5-9bc7-a0f1225b8bc0~data=hdntl~hmac=803596ac99b3a8eb87f81a62b3e3b3691458c31c3611fa35296127dbb3a5c322/master_3500.m3u8?aka_me_session_id=AAAAAAAAAAC5IkVoAAAAAHugU06feeiYbUzJzbPH9d3UIflHbyxtO5sTcf0F5MJ9Jjl9iX6qxaF14NjCvhjyQHmg%20Z94gJNW&aka_media_format_type=hls&originpath=/linear/hls/pb/event/yeYP86THQ4yl7US8Zx5eug/stream/693fffb1-745c-4aaa-8a94-482b6ffa1393:TPE2/variant/edbac99ec611d03d37ffab7b990a62ef/bandwidth/4571600.m3u8 in this when shaka converts it into + plus into %20 then when we replace with %2B, it loads

but here we are talking about auto generated akamai links, akamai give session id and expiry tokens to links automatically and other things which are necessary for their purpose, which can be played smoothly by all other players except shaka so we need permanent sloution which other players follow but shhaka dont

Due to this special characters percentage encoding in session id thing, akamai links dont work in shaka but in others

in aka_me_session_id=AAAAAAAAAAC5IkVoAAAAAHugU06feeiYbUzJzbPH9d3UIflHbyxtO5sTcf0F5MJ9Jjl9iX6qxaF14NjCvhjyQHmg+Z94gJNW plus (+) symbol is treated as space %20 in shaka while in other player it is treated as (+) plus symbol as it is

** Hence, it is because of just + plus symol only, it is converted in to %20 instead of %2B when encoding the parameter**

Just because of plus + symbol incorrect encoding whole url crashes. Need just that shaka encoded + into %2B instaed %20

---

This mainly occurs in akamaized streams where they use "aka_me_session_id="

This issue does not occur in other players like JW Player, which properly preserve the original URL encoding from the playlist throughout the request process.

Master playlist URL (working in JW Player): https://dai.google.com/ssai/event/yeYP86THQ4yl7US8Zx5eug/master.m3u8

also i tried to play this url in android chrome app, justed pasted the link , it worked also in hls.js also in clappr also in plyr also in JW (remember CORS is enabled and Indian IP)

all worked but only shaka failed

all other players treat + symbol (check %20 and %2B in below session id) aka_me_session_id=AAAAAAAAAAC5IkVoAAAAAHugU06feeiYbUzJzbPH9d3UIflHbyxtO5sTcf0F5MJ9Jjl9iX6qxaF14NjCvhjyQHmg%20Z94gJNW - how shaka treats

as

aka_me_session_id=AAAAAAAAAAC5IkVoAAAAAHugU06feeiYbUzJzbPH9d3UIflHbyxtO5sTcf0F5MJ9Jjl9iX6qxaF14NjCvhjyQHmg%2BZ94gJNW - how other other players treat

[desertwindy]

const networkingEngine = player.getNetworkingEngine(); networkingEngine.clearAllRequestFilters(); networkingEngine.registerRequestFilter((type, request) => { if (request.uris && request.uris.length) { request.uris = request.uris.map(uri => { if (uri.toLowerCase().includes('akamaized')) { return uri.replace(/%20/g, '+').replace(/%2B/gi, '+'); } return uri; }); }

});

it worked with this

[tykus160]

@desertwindy I don't have access to Indian VPN unfortunately. Can you share raw manifest files either here or on private channel so we can debug it? Or HAR file with request history from your browser?

[desertwindy]

@tykus160 @avelad

Link for Zip file is this Shaka and JW har.zip

I have uploaded .har files in zip files named shaka and jw from both players

Shaka.har version is this https://cdn.jsdelivr.net/npm/[email protected]/dist/shaka-player.ui.min.js

See .m3u8 requests only

In Shaka you can check the failed 403 error vs successful url and check that encoding of + symbol Only first request of .m3u8 of that particular quality level is successful while other failed

JW.har player is this https://content.jwplatform.com/libraries/KB5zFt7A.js

In JW, it remains plus symbol as it is on all m3u8 requests

My suggestion is this that encoding of url should be done like how JW and hlsjs do with their m3u8 links

Also with dash mpd links, JW player does the best Like in some dash streams, shaka shows only 1 quality resolution which is generally the lowest while JW shows all quality resolutions

Only upperhand Shaka has that it supports multiple clearkeys in dash while JW cant

[avelad]

@desertwindy Can you check if https://github.com/shaka-project/shaka-player/pull/8912 resolves this issue? I don't have a Indian VPN :(

@joeyparrish can you review it and https://github.com/shaka-project/shaka-player/pull/8912 ? Thanks!

[joeyparrish]

Steps I took:

1. VPN through India
2. Install the extension OP recommended
3. Toggle the extension on to disable CORS restrictions
4. Open Shaka Player Demo (latest release v4.15.8)
5. Go to custom content tab
6. Create new custom content
7. Enter asset URI https://dai.google.com/ssai/event/yeYP86THQ4yl7US8Zx5eug/master.m3u8
8. Enter name
9. Click save
10. Play the custom content

Initially, I had zero network errors and could not reproduce this. It turns out that my first play was lucky, and I was assigned a session ID which did not involve any + characters when base64-encoded. I played it again and got assigned a session ID with a + in the encoding.

[joeyparrish]

Testing a fix is slightly complicated by the fact that the Sony domain won't allow a request from localhost, even with CORS turned off. But I managed to live-edit the code in the production demo to validate my fix.

[joeyparrish]

My fix is up for review in https://github.com/shaka-project/shaka-player/pull/8916 . I tried to explain thoroughly why this happened, but please let me know if it's unclear or off base in some way.