jazzband/django-embed-video

django-embed-video==1.2 is rendering the iframe as HTTP rather than HTTPS.

nmcilree opened this issue · 6 comments

When I use the code below the iframe URL is generated as HTTP rather than HTTPS. This means the video does not render because of Chrome mixed protocol policy. Should it be rendering as HTTPS or am I doing something wrong.

  1. The URL added is HTTPS
  2. When I manually create the iframe with src of my_video.url it works
  3. This happens on both Youtube and Vimeo

Template code:

{% video  block.content.url is_secure=True as my_video %}                
<!--
URL: {{ my_video.url }}
Thumbnail: {{ my_video.thumbnail }}                
Backend: {{ my_video.backend }}
 -->
{% video my_video "medium" %}
{% video  block.content.url is_secure=True as my_video %}

HTML output:

<!--
URL: https://player.vimeo.com/video/691993464
Thumbnail: https://i.vimeocdn.com/video/1400681081-e59b05da89e3157e29630ebf81c338608d83bf2aac9a13d6922a3e2fc10f1ee0-d_640
Backend: VimeoBackend
 -->
 <iframe width="640" height="480" src="http://player.vimeo.com/video/691993464" frameborder="0" allowfullscreen=""></iframe>

Hi @nmcilree! Have you checked that this is also happening with the latest version i.e. 1.4.3?

2 hours later and finally climbed out of the rabbit hole....

tl;dr - If you are using gunicorn or another WSGI server behind a proxy, Django will see the scheme as HTTP even if your users are accessing via HTTPS.

To Fix:

  1. Add SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') to your settings.py (setting info)
  2. Add proxy_set_header X-Forwarded-Proto $scheme; to your Nginx site config file. (better example)

This will set request.is_secure() equal to true when it is checked here in embed_video_tags.py

The "bug":

That is where my journey ends; however, I could not determine if is_secure=True as shown in your example {% video block.content.url is_secure=True as my_video %} was just being overwritten by the setting mentioned above, or the docs are unclear as to how it should be used. I can also confirm the same result from your #2 point.


This is a super useful package! Probably could use some refactoring to be more forgiving.

Could you possibly make a PR for adding this information to the documentation so that it is mentioned for people getting started with the package?

It's possible to edit the files directly in the GitHub UI after forking:

https://github.com/jazzband/django-embed-video/blob/master/docs/installation.rst

Should be fixed by the PR, thank you!

it seems I've to add add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
to the nginx site config file for this to work. This took me so long to figure out.