django-embed-video==1.2 is rendering the iframe as HTTP rather than HTTPS.
nmcilree opened this issue · 6 comments
When I use the code below the iframe URL is generated as HTTP rather than HTTPS. This means the video does not render because of Chrome mixed protocol policy. Should it be rendering as HTTPS or am I doing something wrong.
- The URL added is HTTPS
- When I manually create the iframe with src of my_video.url it works
- This happens on both Youtube and Vimeo
Template code:
{% video block.content.url is_secure=True as my_video %}
<!--
URL: {{ my_video.url }}
Thumbnail: {{ my_video.thumbnail }}
Backend: {{ my_video.backend }}
-->
{% video my_video "medium" %}
{% video block.content.url is_secure=True as my_video %}
HTML output:
<!--
URL: https://player.vimeo.com/video/691993464
Thumbnail: https://i.vimeocdn.com/video/1400681081-e59b05da89e3157e29630ebf81c338608d83bf2aac9a13d6922a3e2fc10f1ee0-d_640
Backend: VimeoBackend
-->
<iframe width="640" height="480" src="http://player.vimeo.com/video/691993464" frameborder="0" allowfullscreen=""></iframe>
Hi @nmcilree! Have you checked that this is also happening with the latest version i.e. 1.4.3?
2 hours later and finally climbed out of the rabbit hole....
tl;dr - If you are using gunicorn or another WSGI server behind a proxy, Django will see the scheme as HTTP even if your users are accessing via HTTPS.
To Fix:
- Add
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
to your settings.py (setting info) - Add
proxy_set_header X-Forwarded-Proto $scheme;
to your Nginx site config file. (better example)
This will set request.is_secure()
equal to true when it is checked here in embed_video_tags.py
The "bug":
That is where my journey ends; however, I could not determine if is_secure=True
as shown in your example {% video block.content.url is_secure=True as my_video %}
was just being overwritten by the setting mentioned above, or the docs are unclear as to how it should be used. I can also confirm the same result from your #2 point.
This is a super useful package! Probably could use some refactoring to be more forgiving.
Could you possibly make a PR for adding this information to the documentation so that it is mentioned for people getting started with the package?
It's possible to edit the files directly in the GitHub UI after forking:
https://github.com/jazzband/django-embed-video/blob/master/docs/installation.rst
Should be fixed by the PR, thank you!
it seems I've to add add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
to the nginx site config file for this to work. This took me so long to figure out.