In reality, you can’t. But you can make it harder to steal.
In my experience grabbing videos, I just use the debugger of the browser. I prepare the network tab and let the video load. Then I look for it in the loaded resources, grab it’s url, and open it in another tab to download it.
the routine was basically:
- load the video
- get the link
- load it again but this time, not using the player
One thing you can do to prevent this method is to prevent the link from being reusable. Once the player loads using the disposable url, the server makes it unusable.
Similar to CSRF prevention, create a token and store it in the session. At the same time, place this token in a hidden input tag, cookie, or in the video link itself when generating the page. Then when the player loads, have it request for a access of the video using the token. If the token sent exists in the session, the server allow access to video. After access is allowed, delete that token from the server-side so that further use of the same token will be invalid.
To add to that, have the token expire on the server after several minutes of being unused, enough time for the page to use it for the video request but short enough for one to get the link and use it.
This method will NOT prevent:
- Tools that pick up the file from the cache. Streamed videos (especially those done streaming) are stored in the cache of the browser.
- This will not prevent tools that intercept the player’s video request. Some tools hijack the request that uses the token to gain access.
After scouring the net about customizing the context menu of an html5 video, i found this article. it mentions about having the video be overlayed by a div to prevent direct click on it (thus no right-click to the video). as for the controls, i believe one can build your own video controls in JS so that it is outside of the video (so that you can overlay the div in front of the video without covering the controls).