DEV Community: Akashi The latest articles on DEV Community by Akashi (@astralchemist). https://dev.to/astralchemist https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3944086%2Fb454bbce-04b9-4e84-8db3-4aff7189e820.jpeg DEV Community: Akashi https://dev.to/astralchemist en Rebuilding the movie-web proxy after it shut down: HLS, headers, and the sandbox-detection trap Akashi Thu, 21 May 2026 13:05:24 +0000 https://dev.to/astralchemist/rebuilding-the-movie-web-proxy-after-it-shut-down-hls-headers-and-the-sandbox-detection-trap-e41 https://dev.to/astralchemist/rebuilding-the-movie-web-proxy-after-it-shut-down-hls-headers-and-the-sandbox-detection-trap-e41 <h2> A walk through the gotchas behind a tiny HLS / MP4 media proxy manifest rewriting, header forwarding, the Cloudflare wall, and why some embed providers detect iframe sandbox attributes and refuse to play </h2> <p>When <a href="https://github.com/movie-web/movie-web" rel="noopener noreferrer">movie-web shut down</a> in 2024 under legal pressure, the proxy that powered it went with it. The community immediately fractured into forks each one independently reinventing the same handful of pieces: an HLS proxy, an iframe ad-guard, a list of working embed providers. Most reinvented them badly.</p> <p>I'd written all three for <a href="https://github.com/Astralchemist" rel="noopener noreferrer">Aetherly</a>, a private streaming front-end, so over the weekend I extracted them as standalone MIT-licensed packages:</p> <ul> <li> <strong><a href="https://github.com/Astralchemist/aetherly-stream-proxy" rel="noopener noreferrer"><code>aetherly-stream-proxy</code></a></strong> — zero-dep HLS / MP4 proxy with header forwarding</li> <li> <strong><a href="https://github.com/Astralchemist/aetherly-embed-guard" rel="noopener noreferrer"><code>aetherly-embed-guard</code></a></strong> — iframe popup/redirect guard for third-party video providers</li> <li> <strong><a href="https://github.com/Astralchemist/tmdb-embed-providers" rel="noopener noreferrer"><code>tmdb-embed-providers</code></a></strong> — typed list of TMDB-id-keyed providers with a probeProvider() health check</li> </ul> <p>The stream-proxy is the load-bearing piece, and it has a surprising number of trapdoors. This post walks through them.</p> <h2> The naive proxy </h2> <p>If you've never built one, the first attempt always looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">).</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">)</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">upstream</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">upstream</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">upstream</span><span class="p">.</span><span class="nx">headers</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>This works for about 30 seconds, then breaks in five different ways.</p> <h2> Trapdoor 1: HLS manifests reference segments by relative URL </h2> <p>An HLS playlist looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#EXTM3U #EXT-X-VERSION:3 #EXTINF:10.0, segment-001.ts #EXTINF:10.0, segment-002.ts #EXT-X-ENDLIST </code></pre> </div> <p>Your proxy fetches <code>master.m3u8</code> and returns it. The browser parses it, then tries to load <code>segment-001.ts</code> from your origin <strong>not</strong> from the original CDN. Result: 404 for every segment.</p> <p>You have to rewrite every non-comment line back through the proxy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">rewriteHlsManifest</span><span class="p">(</span><span class="nx">text</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">manifestUrl</span><span class="p">:</span> <span class="nx">URL</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">text</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sr">/</span><span class="se">\r?\n</span><span class="sr">/</span><span class="p">).</span><span class="nf">map</span><span class="p">((</span><span class="nx">line</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">line</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span> <span class="o">||</span> <span class="nx">line</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">#</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="nx">line</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">absolute</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">line</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="nx">manifestUrl</span><span class="p">).</span><span class="nx">href</span><span class="p">;</span> <span class="k">return</span> <span class="s2">`/api/media-proxy?url=</span><span class="p">${</span><span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">absolute</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}).</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>And the <code>#</code>-prefixed lines aren't safe either — <code>#EXT-X-KEY</code>, <code>#EXT-X-MAP</code>, and <code>#EXT-X-MEDIA</code> all carry <code>URI="..."</code> attributes for AES keys, init segments, and alternate audio tracks. Miss those and encrypted streams silently fail.</p> <h2> Trapdoor 2: providers gate playback on Referer / Origin </h2> <p>A lot of embed providers do something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">referer</span><span class="dl">'</span><span class="p">)</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">https://expected-domain/</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">'</span><span class="s1">Forbidden</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The browser cannot send a forged <code>Referer</code> — that header is set by the browser based on the page making the request, and CORS will block almost every workaround. So the client tells the proxy which headers to forward, and the proxy attaches them server-side.</p> <p>The dangerous version of this passes raw header values straight through:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Don't do this</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-forward-headers</span><span class="dl">'</span><span class="p">)</span><span class="o">!</span><span class="p">);</span> <span class="k">return</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="nx">headers</span> <span class="p">});</span> </code></pre> </div> <p>You've just built an open SSRF: anyone can hit your proxy with <code>Authorization: Bearer ...</code> headers targeted at any internal service. Gate header forwarding through an allowlist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ALLOWED_HEADER_PREFIXES</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">referer</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">x-</span><span class="dl">'</span><span class="p">];</span> <span class="kd">function</span> <span class="nf">decodeProxyHeaders</span><span class="p">(</span><span class="nx">encoded</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">encoded</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64url</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">());</span> <span class="kd">const</span> <span class="na">out</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">]</span> <span class="k">of</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">parsed</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">lower</span> <span class="o">=</span> <span class="nx">key</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ALLOWED_HEADER_PREFIXES</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">lower</span> <span class="o">===</span> <span class="nx">p</span> <span class="o">||</span> <span class="nx">lower</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">p</span><span class="p">)))</span> <span class="k">continue</span><span class="p">;</span> <span class="nx">out</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">out</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Trapdoor 3: upstream <code>Content-Encoding</code> will make the browser reject the response </h2> <p>If you copy upstream response headers verbatim, you carry over <code>Content-Encoding: gzip</code> (or <code>br</code>, or <code>zstd</code>). But <code>fetch()</code> has <em>already</em> decompressed the body — the bytes you're streaming back are plain. The browser sees <code>Content-Encoding: gzip</code> on uncompressed bytes and throws <code>net::ERR_CONTENT_DECODING_FAILED</code>.</p> <p>Same problem with <code>Content-Length</code> (often wrong after rewriting an <code>.m3u8</code>), <code>Transfer-Encoding</code>, and the connection-management hop-by-hop set. Strip them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">HOP_BY_HOP</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keep-alive</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">proxy-authenticate</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">proxy-authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">te</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trailer</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">transfer-encoding</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">upgrade</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">content-encoding</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">content-length</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">content-security-policy</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">x-frame-options</span><span class="dl">'</span><span class="p">,</span> <span class="p">]);</span> </code></pre> </div> <p><code>content-security-policy</code> and <code>x-frame-options</code> also need to go, otherwise the browser refuses to render your proxied content inside an iframe.</p> <h2> Trapdoor 4: MP4 seeking requires Range request forwarding </h2> <p>For MP4 streams (which some providers serve instead of HLS), seeking in the <code>&lt;video&gt;</code> element works via <code>Range: bytes=...</code> requests. If your proxy doesn't forward those, scrubbing breaks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">range</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">range</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">range</span><span class="p">)</span> <span class="nx">forwardHeaders</span><span class="p">.</span><span class="nx">Range</span> <span class="o">=</span> <span class="nx">range</span><span class="p">;</span> </code></pre> </div> <p>You also need to preserve the upstream <code>206 Partial Content</code> status and <code>Content-Range</code> response header. Most importantly: don't <code>await response.arrayBuffer()</code> and re-emit — stream the body through (<code>new Response(upstream.body, ...)</code>) so the browser can play before the whole file is buffered.</p> <h2> Trapdoor 5: the sandbox-detection trap </h2> <p>This one is specific to embed providers, and it's the dumbest of the bunch.</p> <p><code>&lt;iframe sandbox&gt;</code> is the right tool for embedding third-party video. You add <code>allow-scripts allow-same-origin allow-forms</code> and so on, and the browser blocks popups, top-window navigation, and a long list of other ad-injection tricks. Perfect.</p> <p>Except some providers — <code>vidfast.pro</code>, <code>vidlink.pro</code>, a couple of others — run this on page load:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if </span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">frameElement</span> <span class="o">&amp;&amp;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">frameElement</span><span class="p">.</span><span class="nx">sandbox</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Please disable sandbox</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>If you sandbox them at all, they refuse to play. The "solution" is to maintain an allowlist of <em>trusted-direct</em> providers that are rendered with no sandbox attribute, relying on the browser's popup blocker as your only ad mitigation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">TRUSTED_DIRECT_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">vidfast.pro</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">vidlink.pro</span><span class="dl">'</span><span class="p">];</span> <span class="kd">function</span> <span class="nf">isTrustedDirect</span><span class="p">(</span><span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">host</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">url</span><span class="p">).</span><span class="nx">hostname</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="k">return</span> <span class="nx">TRUSTED_DIRECT_HOSTS</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">h</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">host</span> <span class="o">===</span> <span class="nx">h</span> <span class="o">||</span> <span class="nx">host</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="s2">`.</span><span class="p">${</span><span class="nx">h</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>For everyone else, the reverse-proxy injects a guard script into the upstream HTML that fakes <code>window.open</code>, cancels cross-origin clicks, and re-routes <code>fetch</code> / <code>XHR</code> back through the proxy. That covers ~90% of the ad-injection patterns, but it's an arms race.</p> <h2> Trapdoor 6: providers rotate domains weekly </h2> <p>Half the providers in any list are dead within a quarter. They get DMCA'd, the domain expires, they migrate to a sibling TLD. The first version of my providers list shipped with <code>autoembed.cc</code>, <code>moviesapi.club</code>, <code>vidsrc.icu</code>, <code>smashy.stream</code> — every single one of them had no DNS resolution within 24 hours of release. Even <code>embed.su</code>, which I'd been using in production for months, turned out to be dead globally.</p> <p>The fix isn't to maintain the list more aggressively — it's to ship a runtime probe:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">probeProvider</span><span class="p">(</span><span class="nx">provider</span><span class="p">);</span> <span class="c1">// result.status === 'alive-embed' | 'alive-spa' | 'cf-challenge' | 'http-error' | 'dead'</span> </code></pre> </div> <p>…and have consumers prune their fallback chain at startup or on a cron.</p> <h2> Trapdoor 7: Cloudflare blocks server-side fetches </h2> <p>Some of the most useful providers (<code>vidsrc.to</code>, <code>vidsrc.cc</code>, <code>2embed.cc</code>, <code>multiembed.mov</code>) sit behind Cloudflare with browser-integrity checks turned on. From a real Chrome they work fine. From a server-side <code>fetch()</code> they return 403 with a JS challenge page.</p> <p>You can't reverse-proxy these — the challenge runs in a real browser, and a server-side fetch can't execute it. But they still work as <strong>direct</strong> iframes (because the user's browser passes the challenge naturally). So you need a third tier:</p> <ul> <li> <strong>Trusted-direct</strong> (sandbox refuses → load with no sandbox, no proxy)</li> <li> <strong>Proxied</strong> (proxy with guard script + sandbox)</li> <li> <strong>CF-direct</strong> (proxy probe will fail → fall back to direct iframe with sandbox)</li> </ul> <p>The client-side fallback chain tries proxy first, and if the probe returns 403 or JSON (challenge page), it loads the direct sandboxed iframe instead. Slower than ideal, but it's the only thing that works for that tier.</p> <h2> All the pieces </h2> <p>The three packages are zero-dependency, ESM, typed, and Web-Fetch-API-native — they work in Next.js App Router, Cloudflare Workers, Bun, and Deno without changes. Each is around 150-300 lines.</p> <p>If you're building a movie-web fork, a self-hosted media frontend, or anything that has to embed third-party video and wants the ad-defense plumbing solved correctly, they're worth ten minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>aetherly-stream-proxy aetherly-embed-guard tmdb-embed-providers </code></pre> </div> <p>Repos:</p> <ul> <li><a href="https://github.com/Astralchemist/aetherly-stream-proxy" rel="noopener noreferrer">https://github.com/Astralchemist/aetherly-stream-proxy</a></li> <li><a href="https://github.com/Astralchemist/aetherly-embed-guard" rel="noopener noreferrer">https://github.com/Astralchemist/aetherly-embed-guard</a></li> <li><a href="https://github.com/Astralchemist/tmdb-embed-providers" rel="noopener noreferrer">https://github.com/Astralchemist/tmdb-embed-providers</a></li> </ul> <p>PRs welcome, especially provider list maintenance and new framework adapters.</p> hls nextjs opensource mp4