20 September 2013, 7:27

Hello, when I get embed code from youtube or vimeo, I've noticed that it has // in front of www.youtube.com, but not the http: , and the video won't display. But, if I put http: in front then it works. Is this something new that youtube is doing? Is there a way to fix it? 
Thanks,
Dave

20 September 2013, 13:26

Hello Dave,

We are aware of this change by a number of providers and already have a patch. See https://bugs.launchpad.net/mahara/+bug/1207140 for more information and links to the patches. The fix will be in the next minor point releases, but you can already put the patch on your instance.

Cheers

Kristina

21 September 2013, 11:10

Thanks Kristina!

It looks like this just fixes youtube. I should be able to figure it out for vimeo myself, following the youtube code, but is someone working on that?

Dave

22 September 2013, 22:24

Hello Dave,

It also fixes Vimeo and others as it's a more generic fix. The bug may just talk about YouTube. We have this fix applied and Vimeo also works again.

Cheers

Kristina

23 September 2013, 11:41

I've updated the bug title to make it more generic.

What it came down to was that our iframe filter didn't support "scheme-relative URLs", which is a URL that starts with just "//", such as "//youtube.com". A URL such as this in an HTML page, will be resolved by the browser using the same protocol (HTTP or HTTPS) as the page itself.

These used to be pretty obscure and rare, but earlier this year Firefox added a new security feature that disables HTTP iframes in HTTPS web pages. As a result, YouTube changed their embed codes to use schema-relative iframe URLs, so that the embed snippet can be used on an HTTP or HTTPS page, and won't throw a security warning on either one. Vimeo seems to have recently followed suit, and I expect other services that provide iframe embed snippets will do so eventually as well.

Cheers,

Aaron