What we are doing is embedding the video in an iframe to “hide” the URL of the video. The iframe wrapper checks to determine if the referrer is our domain, if it is, it will display the video in the iframe. If it is not, the wrapper will deny access. And this works to a certain extent.
The issue is once the video URL is called from the iframe, the source URL of the iframe is able to be determined if a user inspects the HTML source of the wrapper. A registered user of the site would be able to then generate a list of all the video URL’s, if they were so inclined. And these URL’s are viewable from any location.
Originally, I had hoped the server allow/deny directive may provide the additional level of security we would need but it appears that directive restricts by the remote address, not the referring website. The restricted secure subdomain does provide remote address protection https://domian.secure.html
Does anyone have any suggestions as to how we could restrict access by the referring website at the server level? The isloggedin method checks for $CFG->User how can this be included in a non moodle file? Any suggestions?