#36274 closed enhancement (duplicate)
Youtube oEmbed handlers should be HTTPS
Reported by: | tollmanz | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.9 |
Component: | Embeds | Keywords: | good-first-bug |
Focuses: | Cc: |
Description
All of the handlers for Youtube oEmbeds utilize HTTP URIs. The HTTP URIs redirect to HTTPS. The URIs should be hardcoded has HTTPS.
This is beneficial for performance (i.e., removes a costly redirect) and security (i.e., mitigates a person in the middle opportunity).
The URIs I am referring to are:
'#http://((m|www)\.)?youtube\.com/watch.*#i' => array( 'http://www.youtube.com/oembed', true ), '#https://((m|www)\.)?youtube\.com/watch.*#i' => array( 'http://www.youtube.com/oembed?scheme=https', true ), '#http://((m|www)\.)?youtube\.com/playlist.*#i' => array( 'http://www.youtube.com/oembed', true ), '#https://((m|www)\.)?youtube\.com/playlist.*#i' => array( 'http://www.youtube.com/oembed?scheme=https', true ), '#http://youtu\.be/.*#i' => array( 'http://www.youtube.com/oembed', true ), '#https://youtu\.be/.*#i' => array( 'http://www.youtube.com/oembed?scheme=https', true )
Additionally, this is a great first patch ticket.
Attachments (1)
Change History (7)
#3
@
9 years ago
On the whole, I think we should default to always using https when possible. So, if an https version exists, always use it.
#5
@
9 years ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Thanks for your patch, @thomaswm!
Since #28507 is an ongoing ticket for secure embeds, I am closing this ticket here as a duplicate. Of course the patch is perfectly fine and we can continue working on that in the other ticket.
Note: See
TracTickets for help on using
tickets.
Previously: #18719, #23149.