WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#36274 closed enhancement (duplicate)

Youtube oEmbed handlers should be HTTPS

Reported by: tollmanz Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: Embeds Keywords: good-first-bug
Focuses: Cc:
PR Number:

Description

All of the handlers for Youtube oEmbeds utilize HTTP URIs. The HTTP URIs redirect to HTTPS. The URIs should be hardcoded has HTTPS.

This is beneficial for performance (i.e., removes a costly redirect) and security (i.e., mitigates a person in the middle opportunity).

The URIs I am referring to are:

'#http://((m|www)\.)?youtube\.com/watch.*#i'          => array( 'http://www.youtube.com/oembed',                             true  ),
'#https://((m|www)\.)?youtube\.com/watch.*#i'         => array( 'http://www.youtube.com/oembed?scheme=https',                true  ),
'#http://((m|www)\.)?youtube\.com/playlist.*#i'       => array( 'http://www.youtube.com/oembed',                             true  ),
'#https://((m|www)\.)?youtube\.com/playlist.*#i'      => array( 'http://www.youtube.com/oembed?scheme=https',                true  ),
'#http://youtu\.be/.*#i'                              => array( 'http://www.youtube.com/oembed',                             true  ),
'#https://youtu\.be/.*#i'                             => array( 'http://www.youtube.com/oembed?scheme=https',                true  )

Additionally, this is a great first patch ticket.

Attachments (1)

36724.diff (2.6 KB) - added by zsusag 4 years ago.
Hardcoded all YouTube oembed links to use https instead of http.

Download all attachments as: .zip

Change History (7)

#1 @netweb
4 years ago

  • Keywords good-first-bug added
  • Version set to 2.9

#3 @Otto42
4 years ago

On the whole, I think we should default to always using https when possible. So, if an https version exists, always use it.

@zsusag
4 years ago

Hardcoded all YouTube oembed links to use https instead of http.

#4 @thomaswm
4 years ago

Related: #28507

#5 @swissspidy
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Thanks for your patch, @thomaswm!

Since #28507 is an ongoing ticket for secure embeds, I am closing this ticket here as a duplicate. Of course the patch is perfectly fine and we can continue working on that in the other ticket.

#6 @johnbillion
3 years ago

In 38365:

Embeds: Always use the HTTPS endpoint for YouTube embeds. The scheme parameter is no longer required as all YouTube assets now use HTTPS.

See #36274, #28507
Props zsusag, tollmanz

Note: See TracTickets for help on using tickets.