[wp-trac] [WordPress Trac] #23149: YouTube Embedding is incorrect for https:// URLs

WordPress Trac noreply at wordpress.org
Thu Jan 23 22:05:04 UTC 2014 

#23149: YouTube Embedding is incorrect for https:// URLs
------------------------------------+---------------------
 Reporter:  Otto42                  |       Owner:  nacin
     Type:  enhancement             |      Status:  closed
 Priority:  normal                  |   Milestone:  3.9
Component:  Embeds                  |     Version:  3.5
 Severity:  normal                  |  Resolution:  fixed
 Keywords:  has-patch dev-feedback  |
------------------------------------+---------------------

Comment (by westonruter):

 Replying to [comment:21 adamsilverstein]:
 > Replying to [comment:17 Otto42]:
 > > [attachment:23149.3.diff] is a patch to always use the https scheme,
 regardless of the URL given.
 > >
 > > Whether this is desirable or not is up for debate.
 >
 > The arguments I would have against going all https are: 1. some networks
 may block https and that would mean users wouldn't see videos and 2. its
 unexpected behavior - do we do that anywhere else? (serve up https when
 http has been embedded)? and 3. it's a waste of resources (serving over
 https vs. http)

 I just ran into a problem here with a site that is served entirely over
 HTTPS. If a user uses the URL that YouTube provides, this URL uses HTTP.
 If you then embed this URL into a site that is served over HTTPS, then it
 will fail to embed (at least in Chrome) and give the error:

 > [blocked] The page at 'https://example.com/' was loaded over HTTPS, but
 ran insecure content from
 'http://www.youtube.com/embed/DYu_bGbZiiQ?feature=oembed': this content
 should also be loaded over HTTPS.

 So if we can't always default to using HTTPS, then what about forcing all
 URLs to be HTTPS if it is determined that the `siteurl` is HTTPS?
 Otherwise, I suppose a content filter can be added which checks if
 `is_ssl` and replaces all HTTP oEmbeds with HTTPS ones. This would address
 the situation where some pages of the site are served over HTTP whereas
 others over HTTPS.

 Should this be re-opened or should a new ticket be made?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/23149#comment:28>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list