To address the vulnerability of user content access privacy to third-party observation in Content Delivery Networks (CDNs), this paper presents the first deployable privacy-preserving system for production Internet CDNs, simultaneously ensuring content confidentiality and access pattern obliviousness, while enabling trust-minimized edge-origin cooperative oblivious distribution without relying on trusted hardware. Key contributions include: (1) a Range ORAM variant optimized for sequential block accesses; (2) a distributed trust model embedding the ORAM client at the edge, offloading computation from the origin server; and (3) elimination of trusted hardware dependencies at edge servers. The system is fully compatible with standard HTTP/CDN protocols. Evaluation shows that downloading a 256 MB video takes only 5.6 seconds—90× faster than naive ORAM and 366× faster than OblivP2P—demonstrating high efficiency alongside seamless compatibility with legacy infrastructure.

Content providers increasingly utilise Content Delivery Networks (CDNs) to enhance users' content download experience. However, this deployment scenario raises significant security concerns regarding content confidentiality and user privacy due to the involvement of third-party providers. Prior proposals using private information retrieval (PIR) and oblivious RAM (ORAM) have proven impractical due to high computation and communication costs, as well as integration challenges within distributed CDN architectures. In response, we present extsf{OblivCDN}, a practical privacy-preserving system meticulously designed for seamless integration with the existing real-world Internet-CDN infrastructure. Our design strategically adapts Range ORAM primitives to optimise memory and disk seeks when accessing contiguous blocks of CDN content, both at the origin and edge servers, while preserving both content confidentiality and user access pattern hiding features. Also, we carefully customise several oblivious building blocks that integrate the distributed trust model into the ORAM client, thereby eliminating the computational bottleneck in the origin server and reducing communication costs between the origin server and edge servers. Moreover, the newly-designed ORAM client also eliminates the need for trusted hardware on edge servers, and thus significantly ameliorates the compatibility towards networks with massive legacy devices.In real-world streaming evaluations, OblivCDN} demonstrates remarkable performance, downloading a $256$ MB video in just $5.6$ seconds. This achievement represents a speedup of $90 imes$ compared to a strawman approach (direct ORAM adoption) and a $366 imes$ improvement over the prior art, OblivP2P.