Closed nmcilree closed 1 year ago
Hi @nmcilree! Have you checked that this is also happening with the latest version i.e. 1.4.3?
2 hours later and finally climbed out of the rabbit hole....
tl;dr - If you are using gunicorn or another WSGI server behind a proxy, Django will see the scheme as HTTP even if your users are accessing via HTTPS.
To Fix:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
to your settings.py (setting info)proxy_set_header X-Forwarded-Proto $scheme;
to your Nginx site config file. (better example)This will set request.is_secure()
equal to true when it is checked here in embed_video_tags.py
The "bug":
That is where my journey ends; however, I could not determine if is_secure=True
as shown in your example {% video block.content.url is_secure=True as my_video %}
was just being overwritten by the setting mentioned above, or the docs are unclear as to how it should be used. I can also confirm the same result from your #2 point.
This is a super useful package! Probably could use some refactoring to be more forgiving.
Could you possibly make a PR for adding this information to the documentation so that it is mentioned for people getting started with the package?
It's possible to edit the files directly in the GitHub UI after forking:
https://github.com/jazzband/django-embed-video/blob/master/docs/installation.rst
Should be fixed by the PR, thank you!
it seems I've to add add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
to the nginx site config file for this to work. This took me so long to figure out.
When I use the code below the iframe URL is generated as HTTP rather than HTTPS. This means the video does not render because of Chrome mixed protocol policy. Should it be rendering as HTTPS or am I doing something wrong.
Template code:
HTML output: