Would the asset firewall block plugins from accessing videos?

I’m using the Asset Firewall described here (https://getkirby.com/docs/cookbook/asset-firewall). I’m trying to display a video on one of my pages, but for some reason, the video will not show. If I add the video outside of my Kirby directory, it will play. This is making me believe it’s the firewall that’s blocking the videos from showing. Even more weird, the videos are displaying perfectly in Chrome, but not at all in Safari. Here’s a link where I’m doing some tests:

Inside the Kirby site folder: http://jony.io/video-test

Outside the Kirby site folder: http://jony.io/1rm-loop-test.mp4

Any help here will be greatly appreciated!

Does it work in Safari without the asset firewall? It’s a bit strange that it works in Chrome and FF, but not in Safari. How is the video embedded in the page?

Yes. I just downloaded a fresh install of Kirby onto my server, and the video plays without any issue. When it’s on my installation with the firewall, Safari can’t seem to access the video.

Update:

# firewall
RewriteRule ^content/(.*)$ index.php [L]

After removing the code above from my .htaccess file, the videos seem to be playing in Safari. Is there a way I can keep the firewall active, and still show videos on my site?

But shouldn’t the firewall prevent access to all media (at least of all non-authorized users)? Somehow, it doesn’t make sense to block access to all assets and then make them publicly available, unless the resource is in a folder that is not blocked. But if access to all media is blocked, then it shouldn’t be accessible via Chrome either. So I’m a bit at a loss to what exactly you want the firewall for.

The firewall is there for specific posts on the site inside the portfolio. I’ve done this to block access to the images if you have a direct link, but no login information. Outside of the portfolio however, the firewall shouldn’t be active afaik…

Here’s the code I’m using in the firewall to prevent access to non-password protected posts:

if($parent->password() == '1' and !site()->user()) {
    header::forbidden();
    die('Unauthorized access');
} else {
    $file->show();
}

I have the same problem:

As soon as the files are handled through the routes, videos can not be loaded anymore. If I comment out the supposed line in .htaccess (so the files are delivered directly), the videos are playing.

The problem seems to be something with $file->show() and the file type. I can download the videos and play them on my computer without any problem but playing in the browser doesn’t work. I’m using the code from the tutorial.

So to wrap it up:

Works: Embedding video files without firewall, downloading videos without firewall, downloading with firewall
Doesn’t work: Embedding video files with firewall

I tested it in Safari and Chrome, results and behaviour is the same.

Any idea what to do? I really need to use the firewall since I have a few pages with assets that need to be secured while others are not.

For now I excluded the media file types from the firewall but as there could be secured files of these types, this can not be the final solution. I did so by adding a rewrite condition:

RewriteCond %{REQUEST_URI} !\.(mp4|mp3|aac|m4v|ogg|webm)$
RewriteRule ^content/(.*)$ index.php [L]

Right now I discovered, that there is the same problem with svg files… seems it is just not working as it should.