ff2mpv
ff2mpv copied to clipboard
woodruffw
Add Browser Cookies to MPV
It would be great if the plugin would pass current browser cookies to mpv to allow watching private youtube videos etc.
Thanks for the request! I'd be happy to accept a PR for this feature, assuming that it doesn't require excessive browser permissions.
I would love to work on this feature! This would be my first Fork/Pull Request ever made, so be prepared for some mistakes ^^
To be honest, when I posted the issue I did not check whether mpv is able to play private youtube videos in the first place.
Now, after playing, around I made it work via
mpv --cookies --cookies-file=cookiefile --ytdl-raw-options=cookies=cookiefile <link>
where cookiefile are the cookies in the Netscape HTTP Cookie File format.
I tested a private youtube video with this method and a mediasite (one of the supported sites of ytdl) video which was behind a university login.
Implementation wise there would be two ways to read the cookies. The first one is to read them out of the cookies.sqlite file from the user's firefox profile directory via the python/ruby script. This would not need more browser permissions but would be a rather ugly approach as a) the right profile directory must be chosen and b) firefox may change the way cookies are stored on the filesystem in future releases. The other approach would be using the Cookie API. For this to work, we would either need to add <all_urls> as host permissions or add host permissions for all sites supported by youtube-dl (which constantly change).
Since the extension requires access to the local file system anyway, would a simple config file be a solution in order to avoid a preference page? Another question: Are third party cookies send?
Or even easier: just editing the ff2mpv.py. As far as I understand it you have to install it manually anyways...
Since the extension requires access to the local file system anyway, would a simple config file be a solution in order to avoid a preference page?
I might be missing something, but I don't think this would work: communication between the extension and native client is unidirectional, so a config telling the native client to use cookies wouldn't do anything (since the native client has no way to tell the extension about the config). Unless you're talking about loading the cookie DB manually, but I'd strongly prefer using the Cookie API linked above (I don't want ff2mpv to deal with locating the correct Firefox profile, changes to the DB's schema, or anything like that).
Are third party cookies send?
I think this probably depends on the "first-party isolation" status. The Cookie API docs hint at that, but I'm not certain.
I mean you can just export the cookies all the time and then decide in the ff2mpv.py whether to use them. Sure this might be a privacy concern if ff2mpv.py was a third party tool, but it isn't.
Maybe you could also have a config file with allowed/disallowed sites for cookies which then the client checks against and only passes cookies to mpv if the site matches.
That would very much make sense. Cause youtube doesn't need my cookies, but my universities video portal does...
I mean you can just export the cookies all the time and then decide in the ff2mpv.py whether to use them. Sure this might be a privacy concern if ff2mpv.py was a third party tool, but it isn't.
I think the larger privacy concern is twofold:
- Giving sites unnecessary metadata about a particular request (YouTube already knows that youtube-dl exists, but I don't necessarily want my browser cookies associated with any/all YouTube videos I choose to play in ff2mpv).
- Parsing and supplying cookies correctly to respective sites (respecting/reimplementing all of the crazy rules around cookie visibility). I'd just rather not do this, especially if we can get it for free from the Cookies API.
To bounce off of @boi4's idea: I think an explicitly allowed sites list makes sense. However, I think it makes sense to have that list in the extension (via a preferences page) rather than in the native client, for the reasons that I mentioned in https://github.com/woodruffw/ff2mpv/issues/19#issuecomment-822845534. The ideal semantics would be:
- Default, fresh install: ff2mpv doesn't send any browser-stored cookies with any video requests.
- Site in allowed list: ff2mpv uses the Cookies API to fetch all browser stored cookies that match the domain, and forwards them to the native client so that they can be passed to either
mpvoryoutube-dl(it's not 100% clear to me which).
@woodruffw I am not sure if you get my idea:
- You press "Open with mpv"
- The extension sends are request including the respective cookies to ff2mpv.py
- ff2mpv.py decides on whether to discard them based on an external config file on your drive
- If ff2mpv.py decides to discard the cookies it just opens mpv without the cookies parameter
So there are no cookies send to sites where you don't want them to go. Only ff2mpv.py gets them and can then decide on whether to include it in the youtube-dl request or not. The external config file could of course also contain a whitelist for urls.
Oh, I didn't understand the part about the extension sending the cookies to the native client. That makes sense.
To clarify:
- The extension sends the URL to the native client, along with any cookies retrieved via the Cookies API for that domain
- The native client decides whether to forward those cookies to MPV, based on an allow list managed by the user
Am I understanding that correctly? If so, that sounds reasonable to me, and I'd be happy to merge a PR containing that functionality.
Something to keep in mind for the config file: there are two native clients (Python and Ruby), so the config file needs to be in a format that both can parse without any external dependencies. That leaves pretty much just JSON, which doesn't make for a great config format but should be serviceable for this limited functionality.
Yes this is how my idea was meant. I think a very simple config format would be just a whitelist.txt containing regexes which are then parsed line per line. So if you just want to pass cookies to every site you can just use a regex that matches all. The default behavior should of course be sending no cookies. I guess regexes are also supported in ruby, although I know nothing of ruby. Maybe I can look into a python implementation tomorrow, but I am afraid I am not of great help with ruby...
Yes this is how my idea was meant. I think a very simple config format would be just a whitelist.txt containing regexes which are then parsed line per line. So if you just want to pass cookies to every site you can just use a regex that matches all. The default behavior should of course be sending no cookies. I guess regexes are also supported in ruby, although I know nothing of ruby. Maybe I can look into a python implementation tomorrow, but I am afraid I am not of great help with ruby...
That sounds reasonable to me. Don't worry too much about the Ruby part -- I can take care of that once we have this solidified.
Also, FWIW: I don't think we'll need regexes, since the cookies sent should already be filtered by FQDN. The allowlist can be as simple as a newline-delimited list of domain names.
Feel free to extend the code from my pull request. I think mpv + youtube-dl only support this netscape format. The same function would also have to be ported to ruby.
I think that cookies are already filtered by Firefox at this point: https://github.com/boi4/ff2mpv/blob/feature-cookie-support/ff2mpv.js#L36
Still, you would probably want to regex/check the url that will be passed to mpv and not the cookies themselves and then send the cookies if the url (or maybe just the domain part) matches an entry in the allowlist.
My reasoning behind regexes was less filtering out the right cookies, but rather being able to do things like just whitelist all domains (".*") or whitelist all subdomains of say a university network or something similar. I think I will extend on @boi4's pull request.
mpv can extract the cookies by itself. If there is a way to pass on information such as the profile directory and current container, that should be more than enough.
