django-embed-video==1.2 is rendering the iframe as HTTP rather than HTTPS.

jazzband / django-embed-video

Django app for easy embedding YouTube and Vimeo videos and music from SoundCloud.

http://django-embed-video.rtfd.org

MIT License

383 stars 137 forks source link

django-embed-video==1.2 is rendering the iframe as HTTP rather than HTTPS. #172

Closed nmcilree closed 1 year ago

nmcilree commented 2 years ago

When I use the code below the iframe URL is generated as HTTP rather than HTTPS. This means the video does not render because of Chrome mixed protocol policy. Should it be rendering as HTTPS or am I doing something wrong.

The URL added is HTTPS
When I manually create the iframe with src of my_video.url it works
This happens on both Youtube and Vimeo

Template code:

{% video  block.content.url is_secure=True as my_video %}                
<!--
URL: {{ my_video.url }}
Thumbnail: {{ my_video.thumbnail }}                
Backend: {{ my_video.backend }}
 -->
{% video my_video "medium" %}
{% video  block.content.url is_secure=True as my_video %}

HTML output:

<!--
URL: https://player.vimeo.com/video/691993464
Thumbnail: https://i.vimeocdn.com/video/1400681081-e59b05da89e3157e29630ebf81c338608d83bf2aac9a13d6922a3e2fc10f1ee0-d_640
Backend: VimeoBackend
 -->
 <iframe width="640" height="480" src="http://player.vimeo.com/video/691993464" frameborder="0" allowfullscreen=""></iframe>

aleksihakli commented 2 years ago

Hi @nmcilree! Have you checked that this is also happening with the latest version i.e. 1.4.3?

justinmerrell commented 1 year ago

2 hours later and finally climbed out of the rabbit hole....

tl;dr - If you are using gunicorn or another WSGI server behind a proxy, Django will see the scheme as HTTP even if your users are accessing via HTTPS.

To Fix:

Add SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') to your settings.py (setting info)
Add proxy_set_header X-Forwarded-Proto $scheme; to your Nginx site config file. (better example)

This will set request.is_secure() equal to true when it is checked here in embed_video_tags.py

The "bug":

That is where my journey ends; however, I could not determine if is_secure=True as shown in your example {% video block.content.url is_secure=True as my_video %} was just being overwritten by the setting mentioned above, or the docs are unclear as to how it should be used. I can also confirm the same result from your #2 point.

This is a super useful package! Probably could use some refactoring to be more forgiving.

aleksihakli commented 1 year ago

Could you possibly make a PR for adding this information to the documentation so that it is mentioned for people getting started with the package?

It's possible to edit the files directly in the GitHub UI after forking:

https://github.com/jazzband/django-embed-video/blob/master/docs/installation.rst

justinmerrell commented 1 year ago

https://github.com/jazzband/django-embed-video/pull/194

aleksihakli commented 1 year ago

Should be fixed by the PR, thank you!

ajuroshan commented 1 month ago

it seems I've to add add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; to the nginx site config file for this to work. This took me so long to figure out.