We have a site that is about to be put under SSL. Per this thread on StackOverflow, we're concerned about security warnings in IE.

http://stackoverflow.com/questions/2388327/internet-explorer-warning-whe...

I have looked at the media_youtube.module and seen the handful of places where "http" would need to be replaced to be "https". I did so as a test and it worked fine - YouTube serves up the video w/o a problem. (Though the test is not yet complete because our site does not have the the SSL.)

https://www.youtube.com/watch?v=RuzdGiW90Zs

Would be great to have this as a configuration option. Thanks!

CommentFileSizeAuthor
#7 https_embed_and_thumbnails-1100464-8436097.patch2.35 KBliggitt
#9 media_youtube-https_variable-1100464-9.patch7.52 KByan
#10 D6_6.x-1.3_media_youtube_https-1100464-10.patch8.03 KBherved
#10 D6_6.x-1.x_media_youtube_https-1100464-10.patch8.18 KBherved
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

aaron’s picture

aaron CreditAttribution: aaron commented
Version: 6.x-1.3 » 6.x-1.x-dev

the solution would be ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') ? 'https://' : 'http://') in the theme layer, when creating the url for the video.

jrsinclair’s picture

jrsinclair CreditAttribution: jrsinclair commented

In case anyone else is searching for a solution to this issue, you can add a function to your theme's template.php file as follows:

function MYTHEMENAME_preprocess_media_youtube_default_external(&$variables) {
  $ssl = (!empty($_SERVER['HTTPS']));
  if ($ssl) {
    $variables['url']       = preg_replace('/^http:/', 'https:', $variables['url']);
    $variables['thumbnail'] = preg_replace('/src="http:/', 'src="https:', $variables['thumbnail']);
  }
}

That should change the URIs to https without the need to add an extra .tpl.php file

That said, it would be nice if the module maintainers added this into the module itself so we didn't have to think about it...

JamesSharpe’s picture

JamesSharpe CreditAttribution: JamesSharpe commented

This is also an issue with 7.x. In this case the above solution doesn't entirely work as the embed is generated via javascript so you need to modify the javascript file too.

Chris Dart’s picture

Chris Dart CreditAttribution: Chris Dart commented

And for the vimeo module, the javascript file that needs to be updated to support this for version 7 is media_vimeo/includes/js/media_vimeo.js line 55.

My javascript for url parsing is not very good. But for the vimeo module you can edit line 55
Should/could read something like:
var site_protocol = window.location.protocol;
var vimeo_src = "://player.vimeo.com/video/";
var src = site_protocol + vimeo_src + settings.video_id;

This needs more testing to get it to work. Otherwise, just edit the js file to use https and hope that the developers add this feature in future versions.

laughnan’s picture

laughnan
he/him/his
CreditAttribution: laughnan commented

Subscribe.

liggitt’s picture

liggitt CreditAttribution: liggitt commented

For 6.x, there are several places the links to youtube and thumbnail urls are built. Defaulting these to https works fine on http pages, and avoids "Insecure content" warnings on https pages.

liggitt’s picture

liggitt CreditAttribution: liggitt commented
Issue summary: View changes
FileSize
https_embed_and_thumbnails-1100464-8436097.patch2.35 KB
rgchi’s picture

rgchi CreditAttribution: rgchi commented

Not quite as nice as the code in comments above, but nevertheless, this hackish bit circumvented this issue. 

function hook_preprocess_page(&$variables) {
	$variables['content'] = str_replace('http://www.youtube.com', 'https://www.youtube.com', $variables['content']);
	$variables['content'] = str_replace('http://player.vimeo.com/video/', 'https://player.vimeo.com/video/', $variables['content']);
	$variables['content'] = str_replace('http://www.vimeo.com/', 'https://www.vimeo.com/', $variables['content']);
}
yan’s picture

yan CreditAttribution: yan commented
Status: Active » Needs review
FileSize
media_youtube-https_variable-1100464-9.patch7.52 KB

Here's a path against 6.x-1.x-dev that changes two things:

  1. It makes the embedding process "sensitive" to whether a page is viewed through https or not - and by default uses the same connection security to embed a video.
  2. It adds an option in the settings to force the use of https ignoring whether the page is viewd through https or not.
herved’s picture

herved CreditAttribution: herved commented
FileSize
D6_6.x-1.x_media_youtube_https-1100464-10.patch8.18 KB
D6_6.x-1.3_media_youtube_https-1100464-10.patch8.03 KB

Hello,

Thank you @yan for the patch.

+++ b/includes/media_youtube.variables.inc
@@ -193,7 +193,15 @@ function media_youtube_variable_default($name = NULL) {
+      // Use https if page is accessed through https.
+      'media_youtube_https' => ((!isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://'),
     );
+
+    // Force the use of https if that setting is activated.
+    if (media_youtube_variable_get('force_https') == 1) {
+      $defaults['media_youtube_https'] = 'https://';
+    }

The patch works but I think media_youtube_variable_default() should return only fixed values. So I set "force_https" in it to FALSE and then I exposed a function returning 'https://' or 'http://' depending on the current protocol and this "force_https" variable.

I made 2 patches:
- D6_6.x-1.x_media_youtube_https-1100464-10.patch that can be applied on the current 6.x-1.x branch
- D6_6.x-1.3_media_youtube_https-1100464-10.patch that can be applied on the current 6.x-1.3 release
@aaron: A new release including this fix would be really nice ;)

I landed here because I had a problem with CKEditor not loading the iframe on Internet explorer (>=IE9) and showing:

Only secure content is displayed message | Show all content.

I discovered that this happened only on pages having an embedded video using media youtube.
This is a security feature of IE (I didn't know about) - http://support.microsoft.com/kb/2625928 - which doesn't load iframes using http if we are in https and asks you to explicitly allow this by clicking on "Show all content" in order to load them.

Regards,
Hervé

The last submitted patch, 10: D6_6.x-1.3_media_youtube_https-1100464-10.patch, failed testing.

kleinmp’s picture

kleinmp CreditAttribution: kleinmp commented

Patch #10 is working nicely for me. I'm using the html5 format and the dev version of the module.

joscar’s picture

joscar CreditAttribution: joscar commented
Status: Needs review » Reviewed & tested by the community

  • liggitt authored 669be70 on 6.x-1.x 
    Issue #1100464 by herved, liggitt, yan: Allow video to be embedded with...
joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad as a volunteer and commented
Status: Reviewed & tested by the community » Fixed

for what its worth;
fixed in 6.x-1.x dev

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.