AWS Signed Cookie from Signed URL cross domain

aws-signed-cookie-from-signed-url.js

/**
 * aws-signed-cookie-from-signed-url.js
 * Include this file in the landing page of the CloudFront assets where a signed url (from another domain) would direct users to
 * If the url is signed (i.e. has Policy, Signature and Key-Pair-Id params) it will create cookies for those attributes based on AWS rules
 * This will allow the internal navigation of CloudFront assets without the need of signed urls for each asset
 */

/**
 *
 */
function getUrlVars() {
	var vars = {};
	var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function(m,key,value) {
		vars[key] = value;
	});
	return vars;
}

/**
 *
 * @param parameter
 * @param defaultvalue
 * @returns {*}
 */
function getUrlParam(parameter, defaultvalue){
	var urlparameter = defaultvalue;
	if(window.location.href.indexOf(parameter) > -1){
		urlparameter = getUrlVars()[parameter];
	}
	return urlparameter;
}

/**
 *
 * @param cname
 * @param cvalue
 * @param exdays
 */
function setCookie(cname, cvalue, exdays) {
	var d = new Date();
	d.setTime(d.getTime() + (exdays*24*60*60*1000));
	var expires = "expires="+ d.toUTCString();
	document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
}

var Policy = getUrlParam('Policy', '');
var Signature = getUrlParam('Signature', '');
var KeyPairId = getUrlParam('Key-Pair-Id', '');

if (Policy != '' && Signature != '' && KeyPairId != '') {
	//delete cookie first
	setCookie('CloudFront-Policy', '', 0);
	setCookie('CloudFront-Signature', '', 0);
	setCookie('CloudFront-Key-Pair-Id', '', 0);

	//set the cookie
	setCookie('CloudFront-Policy', Policy, 1);
	setCookie('CloudFront-Signature', Signature, 1);
	setCookie('CloudFront-Key-Pair-Id', KeyPairId, 1);
}

Can I just put this script in S3? I've currently setup a CloudFront distribution with S3 as origin. I've uploaded this script in the bucket. When I create a signed URL to this script I'm able to visit the script in my browser but I'm missing some additional context here probably (I'm not a js developer).

@Ivthillo this file would be placed in the CloudFront site it self (the starting page) where your Signed URL is redirecting the user to. The flow would look something like this...

• website 1 would generate a Signed URL to website 2 (CloudFront) the user can click on or redirected to automatically (i.e. http://mysite.com/landing.html)

• website 2's "landing.html" file should contain the javascript noted above. This will allow website 2 to switch from using the signed url to now use Signed Cookies based on the information from the Signed URL.

Home this helps

@darbelaez Thank you for the info. Did the setup but it seems the script expects a signed URL with a custom policy. Is this a requirement or can this work with a canned policy too?

Thanks, got it working with the signed URL with custom policy. After doing it, it became clear how the custom policy is used by the signed cookies.

Thanks, got it working with the signed URL with custom policy. After doing it, it became clear how the custom policy is used by the signed cookies.

Yes! forgot to mention that - i was using a Custom policy - did not try it with a Canned policy but i'm it can be made to work with one with some minor modification. Glad to hear it's working for you.

@darbelaez I have created cookies successfully with your js and able to download m3u8 file through browser URL but still unable to access private video using CloudFront link on my domain.

Am I missing something?