Region blocking is still quite common within video on demand providers. They are probably forced to do this by their content suppliers. So if they fail or implement it with flaws, they may risk contractual punishments. This post is about a Scandinavian video on demand platform, which failed with this task. But in the last weeks, this platform changed their configuration and it is no longer a problem. I publish the flaw, so that others can learn from the mistakes.

The platform relied on two different mechanisms to restrict content delivery within one country. The first one is based on the user side. The JavaScript requests a specific URL which returns true when inside the country, otherwise it is false. While this may be an improvement for usability of the website, a user side check can never be trusted!

The other protection mechanism was server side. The platform uses Akamai as a content delivery network. It was configured to only deliver content to users within the country. However, there was a configuration flaw. Extending all requests by the X-Forwarded-For header with an ip address from within the country, the CDN delivered the content anyway.

As a proof-of-concept I turned those discoveries into a Chrome extension. I used chrome.webRequest.onBeforeRequest.addListener to intercept the request to the URL. In older versions of chrome, it was possible to directly return the expected result in the extension. As newer versions do not allow responses from localhost, I set it up on my server and send the response together with a Access-Control-Allow-Origin header. To send the added header, chrome.webRequest.onBeforeSendHeaders.addListener is used. This is applied to all urls related to Akamai.

This extension made it possible to use the video on demand platform from abroad with the same experience as within the country. Compared with proxy services, it was possible to use the full network bandwith. The only problem was with live content, which used a different configuration.