YouTube Embedding Fails for https:// URLs

[MacMacken]

YouTube embedding in WordPress works only for ​http:// URLs. It fails for ​https:// URLs, i.e., the URL is shown and not the video that should have been embedded.

[ocean90]

Does the Google API return a https embed code?

[ocean90]

http://www.youtube.com/oembed?url=https://... will be the same result as with http://.

https://www.youtube.com/oembed?url=https://... will only return the thumbnail_url with ​https://.

[nacin]

We may need to modify the get_html() method in WP_oEmbed to replace http:// with https?:// before sending it into the preg_match (but after preg_quoting). I don't see a problem with allowing oembed for any https URL when we have the http one registered.

[ocean90]

If I insert a https URL I would expect that I get a https output. But we can't guarantee it.

[Otto42]

This appears to have been fixed by youtube.

This URL gives me the html (an iframe). However, the src of that iframe is not an https URL, just an HTTP one. Don't know if an embedded iframe with a non-ssl link will cause an issue on pages.

​https://www.youtube.com/oembed?url=https%3A//www.youtube.com/watch%3Fv%3DoHg5SJYRHA0&format=json

[rich_brat]

Is there any way to get around this bug until it's fixed? I tried to add an https youtube provider using wp_oembed_add_provider but it didn't seem to work.

[Otto42]

Until YouTube returns https results in the iframe, embedding such a link would just result in a broken page in most browsers, since the iframe isn't SSL.

This is fundamentally a YouTube issue that they need to correct with their oembed, I think.

[SergeyBiryukov]

Version number indicates when the bug was initially introduced/reported.

[rich_brat]

Sorry, I'm new here :)

Thanks Otto42!

[Otto42]

In theory, simply adding these lines to class-oembed.php would do the trick:

'#https://(www\.)?youtube.com/watch.*#i'         => array( 'https://www.youtube.com/oembed',            true  ),
'https://youtu.be/*'                             => array( 'https://www.youtube.com/oembed',            false ),

But there are two problems:

1. The wp_remote_get in the _fetch_with_format function doesn't disable the sslverify option. So unless you have fully updated Certificate Authority lists in your PHP install (which no realistic PHP install has), then the SSL GET call will fail here. Adding with 'sslverify'=>0 as the arg array to this call will bypass this problem, but more code might be needed to check that an SSL transport is available before making the call.

2. YouTube still doesn't return https src's in the iframes even when you use SSL throughout the request. So the resulting iframe will be http, potentially breaking the "secure" page in some browsers, if the page this is being embedded on is https as well.

So the patch is easy, however it's pointless to even bother with until YouTube fixes issue 2 and returns HTTPS src's in their oembed results.

When the iframe in the data returned from this link has an https src, then this patch can be made and be meaningful:

​https://www.youtube.com/oembed?url=https%3A//www.youtube.com/watch%3Fv%3DoHg5SJYRHA0&format=json

[Otto42]

Properly support https URLs for youtube oembeds

[Otto42]

Scratch that. It appears Google/YouTube decided that they didn't want to fix this in the most obvious way. Instead, they added a nonstandard "scheme=https" parameter for those cases where you want https results instead.

See ​https://groups.google.com/forum/?fromgroups#!topic/youtube-api-gdata/S9Fa-Zw2Ma8

Attached patch will add the scheme=https parameter to the youtube call for the https cases, resulting in the iframe having the proper https src result. Tested on trunk, works fine. No special cases needed for https calls or SSL transport handling, the oembed call is still http, it's just the result that's being adjusted to have the https.

[rich_brat]

Great! I actually found that google thread but didn't really know what to do with it :)

A quick fix for functions.php:

wp_oembed_add_provider('https://youtu.be/*', 'http://youtube.com/oembed?scheme=https', false );
wp_oembed_add_provider('#https://(www\.)?youtube.com/watch.*#i', 'http://youtube.com/oembed?scheme=https', true);

[tech163]

I think it would make more sense to display HTTPS depending on if the blog is displayed via HTTPS, not if the link starts with https.

[ocean90]

Related: #20102

[helenyhou]

[21915]

[abstraction]

The attachment added by Otto42 does not work. I tested it with this https link:
​https://www.youtube.com/watch?v=31-zJSn2DLQ&feature=g-u-u
And it only displayed the link itself, not the embed. Also, the functions.php solution posted does not work either. Is there actually a solution out there that works?

EDIT: Further testings shows that this part of the URL is what is causing it to not function: &feature=g-u-u

The link still works fine in http but not in https when this is included. Any fix for this issue?

[ocean90]

Are you using any WordPress 3.5 version?

[Otto42]

Nope, patch does work. Tested on trunk, using your URL.

It doesn't actually matter whether the &feature= bit is included or not, because the link is retrieved and the oembed information is gathered directly from the linked site. WordPress isn't parsing the URL, it's retrieving it and getting the application/json+oembed link in the header.

Edit: Note that the oembed retrieval happens on post save, so editing the post and resaving will cause it to go do the retrieval again, so if it failed the first time for whatever reason, then editing and saving may produce the illusion that the edit made the difference, when really the save just made it retry.

[abstraction]

@Otto42 You are correct. I tested this by clicking on the Preview button before it was saved. Is there any way to it work on preview prior to the post being published.

The issue here is that I run a multiple author platform where users publish for approval - meaning that they will need to submit it for approval before the YouTube embed will become functional...

Also to note, somehow this URL ​https://www.youtube.com/watch?v=31-zJSn2DLQ works in preview prior to save. But once &feature=g-u-u is added, it doesn't.

[Otto42]

That might be TinyMCE doing some magic tricks, separate from the oembed. The oembed may be improved in the future, but that's for a separate ticket.

[Otto42]

patch to fix https youtube oembed calls

[Otto42]

Update: This is still not correctly fixed. Although the https URL is supported, and the resulting oembed call returns the correct iframe embed, it also causes the iframe to be returned with only http content, not https content.

Again, YouTube added a non-standard parameter to support https versions of their oembeds, and that has to be handled separately.

18719.2.diff​ attached for trunk.

[nacin]

As this ticket was closed as fixed on a completed milestone, please open a new ticket.

Note that [21915] was "by design." It was intended to ensure we parsed https links, not to ensure https content. There was an IRC conversation about this: ​https://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2012-09-19&sort=asc#m459455.

[Otto42]

Fair enough.

#23149