Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Youtube embedding broken on Firefox #4264

Closed
taratatach opened this Issue Jun 27, 2013 · 18 comments

Comments

Projects
None yet
7 participants
Contributor

taratatach commented Jun 27, 2013

In Firefox (at least 24), trying to load a embedded youtube video raises this security error in the console :

Blocked loading mixed active content "http://www.youtube.com/embed/gv6cJ3gfsXc?feature=oembed&autoplay=1" @ https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js:2

The video is not loaded of course.

Contributor

Flaburgan commented Jun 28, 2013

New in Firefox 23 (release today as the Firefox beta) : "Mixed content blocking enabled to protects users from man-in-the-middle attacks and eavesdroppers on HTTPS pages" (release note)

More details here: https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/

It's strange that nobody notice it before, I use only Firefox beta not Aurora but I'm sure we have user with Aurora and Nightlies..

Contributor

Flaburgan commented Jun 28, 2013

We need to test, but if it's really about that, here is the bug where we can signal it to Mozilla : https://bugzilla.mozilla.org/show_bug.cgi?id=844556

I still have that problem (with Firefox 23.0, Ubuntu). I can't load any embeded youtube videos unless I disable the mixed content blocked option (the little shield next to the url). And I have to do it every time I load or reload the page. Any news or solutions?

Same thing with Vimeo.

Contributor

Flaburgan commented Aug 6, 2013

It will have this behavior with everything which is not HTTPS. I'll check with the Firefox developers, but I think the solution is to automatically link to httpS://www.youtube.com instead of http://www.youtube.com...

I thought Firefox had introduced an option which forced load of https on all sites on which it was available (but I now can't find this option). If not, there are extensions such as HTTPS Everywhere which will do this.

I know this isn't a full solution, but it might help @miguelmaiquez until the problem has been solved (and it's good for secure browsing in any case).

Thank you very much. It works fine with HTTPS Everywhere. I just hope this issue is not to going to send away potential new users of Diaspora. Hopefully is going to be fixed soon.

Contributor

Flaburgan commented Aug 9, 2013

Okay so it looks like the solution to this is to systematically use the https version of the website instead of the http one. I do not follow the oEmbed project but as this is a major issue, I think they'll fix that inside the gem, don't you think? We need to see this issue solved before the release of the next version anyway, because it's a major regression.

Owner

jhass commented Aug 9, 2013

Well, the main issue is that youtube always returns the non https version: http://www.youtube.com/oembed?url=https://www.youtube.com/watch?v=kcDpj-7nhys

Contributor

Flaburgan commented Aug 9, 2013

Hm, this issue is more generic than youtube, it's about every http-content include inside diaspora*.

Well, I just updated Firefox 23 and now is working fine for me. I'll let https everywhere on, anyway, for secure browsing. Thanks for all that information, MrZYX, very interesting,

Contributor

Flaburgan commented Oct 30, 2013

I suggest a dirty hack or anything else, but we can't stay with that broken, it's more than annoying.

As Youtube supports HTTPS, and HTTPS is good for security, why don't we just force HTTPS whenever someone posts a Youtube link using insecure HTTP?

Contributor

Flaburgan commented Oct 30, 2013

That's why I suggested with "a dirty hack" :p

Contributor

polsvoice commented Jan 19, 2014

I just get a spinning wheel and the video never loads. (I'm on Firefox 26, Linux.) The error I got from the console was:

Blocked loading mixed active content "http://www.youtube.com/embed/wZZ7oFKsKzY?feature=oembed&autoplay=1&wmode=opaque"

However! I tried posting the same video from HTTPS, and it still didn't work. I got the same behavior, but no errors in the console.

Shmerl commented on this post that Youtube serves HTTP for the media even if HTTPS is requested, so there might be no way to get around this. No simple way, at any rate.

Contributor

Flaburgan commented Jan 19, 2014

Hm, I just discovered in the help pages that youtube proposes "Use HTTPS" and "Enable Privacy-enhanced mode".

Unfortunately, I just tried manually, on a video page, to select "share" then "integrate", and I have the "privacy" option (which link to youtube-nocookie.com instead of youtube.com) but I don't have the "HTTPS" option..

@fabianrbz fabianrbz closed this Feb 18, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment