Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

embedded iframes: mixed content issue #1213

Closed
afuna opened this issue Feb 14, 2015 · 2 comments · Fixed by #1240
Closed

embedded iframes: mixed content issue #1213

afuna opened this issue Feb 14, 2015 · 2 comments · Fixed by #1240
Assignees
@afuna
Labels
status: claimed status: untriaged
Milestone
HTTPS Everywhere v1

Comments

@afuna
Copy link
Member

afuna commented Feb 14, 2015

When a video / embed uses http instead of https, we'll run into mixed content issues.

So thoughts:

  • more popular sites which we know support http, we can rewrite from http -> https
  • less popular sites, placeholder? just live with the mixed content?

We could also try to proxy the videos, but videos are a much bigger space / bandwidth commitment than images so I'm hesitant to start with that!
@afuna afuna added this to the HTTPS Everywhere v1 milestone Feb 14, 2015
@zorkian
Copy link
Member

zorkian commented Feb 14, 2015

I don't think proxying would work for videos, given our current proxy
solution involves local caching. We'd have to download the videos, which
would be rough.

Don't we only allow embedding certain content? We can make sure they
support HTTPS and just rewrite them?

Mark Smith mark@qq.is

On Fri, Feb 13, 2015, at 05:34 PM, Afuna wrote:

When a video / embed uses http instead of https, we'll run into mixed
content issues.

So thoughts:

  • more popular sites which we know support http, we can rewrite from
    http -> https
  • less popular sites, placeholder? just live with the mixed content?
    We could also try to proxy the videos, but videos are a much bigger
    space / bandwidth commitment than images so I'm hesitant to start
    with that!

— Reply to this email directly or view it on GitHub[1].

Links:

  1. embedded iframes: mixed content issue #1213

@afuna
Copy link
Member Author

afuna commented Feb 14, 2015

Sure, so the first bullet point, but applied to everything we whitelist?
that sounds doable.

afuna added a commit to afuna/dw-free that referenced this issue Feb 21, 2015
@afuna
[dreamwidth#1213] Rewrites http:// video embeds to use protocol relat…
1d725dd 
…ive URLs

* ... only if they support them (all the big sites do, smaller ones may
  or may not). We don't want to force to https if it isn't supported
  because the behavior is unreliable.

  An http embed on https may throw up a browser warning.

  A non-working https embed may, e.g., show a cryptic error message
  about internal server error, a blank page, or (in one case) an
  unrelated internal service

* added arguments so that we only change the URL if we're going to
  display the embed (as opposed to editing the embed, or cleaning for
  saving in the database).

Fixes dreamwidth#1213.
@afuna afuna mentioned this issue Feb 21, 2015
Merged
afuna added a commit to afuna/dw-free that referenced this issue Feb 21, 2015
@afuna
[dreamwidth#1213] Rewrites http:// video embeds to use protocol relat…
5d34b93 
…ive URLs

* ... only if they support them (all the big sites do, smaller ones may
  or may not). We don't want to force to https if it isn't supported
  because the behavior is unreliable.

  An http embed on https may throw up a browser warning.

  A non-working https embed may, e.g., show a cryptic error message
  about internal server error, a blank page, or (in one case) an
  unrelated internal service

* added arguments so that we only change the URL if we're going to
  display the embed (as opposed to editing the embed, or cleaning for
  saving in the database).

Fixes dreamwidth#1213.
zorkian added a commit that referenced this issue Feb 21, 2015
@zorkian
Merge pull request #1240 from afuna/embeds-https-bug-1213
5093e6a 
[#1213] Rewrites http:// video embeds to use protocol relative URLs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afuna afuna

Labels
status: claimed status: untriaged
Milestone
HTTPS Everywhere v1
Development

Successfully merging a pull request may close this issue.

[#1213] Rewrites http:// video embeds to use protocol relative URLs afuna/dw-free
3 participants
@zorkian @afuna @robodw-issues