Mahara

Firefox now blocks iframes that don't match the parent frame's http/https protocol. This breaks many existing embedded videos

Bug #1211583 reported by Kristina Hoeppner on 2013-08-13

This bug report is a duplicate of: Bug #1207140: The embedded iframe filter doesn't support scheme-relative URLs such as "//youtube.com" (now used in the YouTube and Vimeo embed code). Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	High	Unassigned	Mahara 1.8rc1

Bug Description

Firefox 23 has a new "mixed content blocked" security feature (see https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/ for more information).

It prohibits https sites to see (some) http content. For example, YouTube videos or SlideShare content on a http://URL is not displayed when the Mahara page is on https.

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2013-08-13:

We do not use protocols for the allowed iframe sources when entering new sites. So maybe there we don't have the problem. Maybe the problem is only with the hard-coded / built-in filters.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-08-13:

It's true that you don't enter protocols to the URLs on the "Allowed iframe sources" page (admin/extensions/iframesites.php).

BUT, the important bit is whether the protocols are present in:

1. The URLs that people have pasted into external content blocks
2. The embed code HTML that people have pasted into external content blocks

Actually, the way the code is currently written, we FORCE people to include a protocol in the external content block, whether they enter a URL or a full embed code (in which case each URL in it needs the protocol).

We will need to do a find/replace for URLs with the wrong protocol, and turn them to protocol-relative URLs (and update our htmlpurifier and other code, to accept protocol-relative URLs), or to protocols with the site's current URL. This find/replace could either be when the user enters the data (and update all the data in exising blocks using an update script), or it could be when we're rendering the block. I'm not sure which approach exactly would be best, at this point.

Aaron Wells (u-aaronw) on 2013-08-13

summary:

- Mixed content blocked
+ Firefox now blocks iframes that don't match the parent frame's
+ http/https protocol. This breaks many existing embedded videos

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-08-20:

Problem solved by the patch for https://bugs.launchpad.net/mahara/+bug/1207140

Changed in mahara:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1207140 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.