Youtube Embed Bug with latest Chrome Version


(5an1ty) #1

Youtube video’s don’t embed anymore since I updated to the latest version of Chrome (30.0.1599.69 m) on my install that uses HTTPS.

It does work on this install, so my only guess is that this is caused by HTTPS?


(Nicholas Perry) #2

If I recall correctly, youtube flash content is served from http: so it may be the https that is causing issues. I know that https://youtube.com will throw a little warning in chrome upon loading planing the content - but doesn’t occur until I click on the “load plugins” button.

Might want to look at the Chromium bug reports to see if embeds are broken elsewhere.


(Jeff Atwood) #3

What does this mean, “my install that uses https”


(5an1ty) #4

That I use an SSL Certificate in my NGINX config and that I redirect users that try to reach the website via http to the https resource.


(5an1ty) #5

I upgraded to the latest version and the issue still persists (Used to work until a couple of days ago when I didn’t change anything at all).

Here’s my relevant part of the NGINX config:

server {
        listen          80;
        server_name     server.name.here;
        return          301 https://$host$request_uri;
}
 
server {
 
  listen 443 ssl;
  ssl_certificate       cert.crt;
  ssl_certificate_key  cert.key;

Any help much appreciated, the embed code generated:

<iframe width="480" height="270" src="http://www.youtube.com/embed/0nlJuwO0GDs?feature=oembed" frameborder="0" allowfullscreen=""></iframe>

Edit: Found something! If I change the embed code to:

<iframe width="480" height="270" src="https://www.youtube.com/embed/0nlJuwO0GDs?feature=oembed" frameborder="0" allowfullscreen=""></iframe>

The video embeds fine!


(Nicholas Perry) #6

I know that chrome auto-updates, so perhaps something did change that you weren’t aware of?

I haven’t found anything in chrome’s change log that would cause this behavior.

To rule out settings changes, give this tutorial a shot: and set the setting to “Allow all content to load”, then clear your cache and reload the page. Make sure to note what it was set to initially.


(5an1ty) #7

It’s set to allow all content to load. In my opinion if your site is using ssl it should auto embed the htttps:// versions of youtube videos.


(Claus Strasburger) #8

@ultimape: The tutorial you linked to is for a (very) old version of chrome. Does anyone have a hint how to find that setting nowadays (Chrome 30+)?

Users keep complaining about that on my forum, too. The reason is that Chrome/Firefox block any http-served scripts (like youtube) and replace them with a blank box, leading to complaints like “why are you posting empty messages?”

In fact, Chrome does display a warning in the form of a tiny shield icon in the upper right that nobody would even notice:
https://support.google.com/chrome/answer/1342714?hl=en
(related bug report for chromium - navigating through the page doesn’t clear the warning)

Firefox uses an even more inconspicuous warning on the upper left: Mixed Content Blocking Enabled in Firefox 23! | Tanvi Vyas

I did a pull-request which fixes this (at least for youtube) by replacing every embed with a protocol-agnostic link:
http://youtube.com/blah becomes //youtube.com/blah - the browser selects the protocol it is currently using.
@Neil thankfully merged it, so it should be in the next release :smiley:


(Claus Strasburger) #9

Follow-up:
I do not recommend this to anyone, because there are cases in which this behaviour is really important.
In my opinion, a much cleaner way would be to let the user have a whitelist for specific sites. I did not find that feature until now.

Chrome has the command-line-option --allow-running-insecure-content which disables this behaviour altogether.

The same setting exists in Firefox: security.mixed_content.block_active_content = falsein about:settings.
Also: some info on the Mozilla dev Blog


(5an1ty) #10

Lol, I don’t want to fix my chrome or firefox… If everything is embedded in HTTPS, you don’t have that error…


(5an1ty) #11

Alright, thank you! This should be the case for every auto embed that allows HTTPS.


(Claus Strasburger) #12

indeed. see also: 301 Moved Permanently

oh, by the way: I meant “thanks for fixing this, neil!” :smile:


(Neil Lalonde) #13

You’re welcome! Enjoy.


(5an1ty) #14

Alright so this is fixed and if I create a new post on my forum it now embeds correctly, cheers :-)! However, how do I fix my old links? They still don’t seem to work.


(Régis Hanol) #15

You might have to rebake your posts by running: bundle exec rake posts:rebake


(5an1ty) #16

Do I have to stop bluepill etc or can I just execute this immediately?


(Régis Hanol) #17

There’s no need to stop bluepill or anything. Also, don’t forget to run it with the proper rails environment (ie. RAILS_ENV=production)


(5an1ty) #18

I followed the discourse install guide, I suppose I set up a production environment?


(Régis Hanol) #19

You certainly have. I meant for running the command line like this: RAILS_ENV=production bundle exec rake posts:rebake


(5an1ty) #22

Nevermind, the Rebake did the trick, I just had to clear my browser cache :-).