Youtube scripts will be blocked on HTTPS page

[meinharrd]

Issue:

• When I embed a Youtube video on a HTTPS page, the latest Chrome and Firefox block their scripts with a "This page has insecure content" warning
• This is caused by the iframe src being a HTTP resource

Solution:

• Appending "&scheme=https" to the endpoint URL, example: http://www.youtube.com/oembed?url=http%3A//www.youtube.com/watch%3Fv%3DbDOYN-6gdRE&format=json&scheme=https will make the iframe src a HTTPS URL

Implementation:

• Allow 'scheme' option in https://github.com/felixgirault/essence/blob/master/lib/Essence/Provider/OEmbed.php#L226 so something like "$essence->embed($url, array('scheme' => 'https'))" can be used if the embedding page is HTTPS
• Maybe this can only be allowed for provider Youtube, since "scheme" doesn't seem to be a standard oEmbed parameter

References:

• http://apiblog.youtube.com/2011/02/https-support-for-youtube-embeds.html
• Similar issue: Allow https YouTube oEmbed URLs silverstripe/silverstripe-framework#2541

[felixgirault]

Thank you, your solution is perfect to me.
I'll work on that and get back to you soon.

PS : What do you think about detecting current protocol automatically by default ?

[meinharrd]

thanks for implementing this. :)

unfortunately dailymotion has the same issue regarding browser warnings, but they don't have a url parameter like "scheme" for it. so their html is just broken and i need to do a search&replace (http -> https) to get my embeds working. :-/

automatic detection is a nice idea. if it works reliably and can be switched off, why not have it by default.

[felixgirault]

I was in the process of implementing it when I remembered this simple trick:

<iframe src="//www.youtube.com/..." />

Using // instead of http:// or https:// simply lets the browser do the choice depending on the context.
Would it be enough to solve your problem ?

[meinharrd]

sorry, i can't test this right now. could you reproduce my issue?

[fabienlege]

any solution for https ?

[felixgirault]

I didn't have much time to work on it recently... I'll try again when I can.
If you have a solution, feel free to make a pull request ;)

[fabienlege]

i work with this hack now but it's not beatifull :
preg_replace('#http://#', 'https://', $video->html)

[smarques]

this indeed is a problem if you have a site under https. I am also doing a str replace like

 $string = str_replace('http://','//',$string);

it would be nice if you could request the scheme as an option, or it would be sufficient to use // as @felixgirault said. The problem seems to be the embed info comes directly from the oembed provider, and I don't think youtube gives you that option. Pls correct me if I am wrong.

[felixgirault]

As @meinharrd pointed out, there is a way to get https URLs from Youtube, but not from all providers.
A simple str_replace() could solve most of the problems, but it could also break things, i.e. on providers that doesn't support https.

I don't really know what to do about this, as I don't know much about https...
If any one of you guys want to submit a pull request, I'd be happy to check it out ;)
Otherwise, I'm afraid I will not have so much time to work that out soon.

[zyuhel]

Hulu has correct embed url available only in og:video tag. Oembed always return http version. So it seems that html block need to be formed on our side, using data from meta-tags. that return us to issue #110 about chaining different providers. Because author info is not available on OpenGraph