Shortcode plugin mixed-content warning on pages served over TLS

  • graphiclunarkid

    (@graphiclunarkid)


    11 years ago

    I’m serving a self-hosted network over TLS (https). I’m running Jetpack version 2.5 on WordPress 3.7.1. I’m having trouble embedding the soundcloud player using the Jetpack shortcode plugin. It seems the plugin isn’t requesting the embedded player securely, causing a mixed-content warning to be displayed in modern browsers, and preventing the embedded resource from being loaded.

    If I include the iframe code from soundcloud in my post directly the player appears correctly.

    Post content:

    <iframe width="100%" height="166" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/119453276"></iframe>

    Page source:

    <p><iframe width="100%" height="166" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/119453276"></iframe><br />

    If I try to use a soundcloud shortcode I get a mixed content warning in Firefox and the player doesn’t appear in the post.

    Post content:

    [soundcloud url="https://api.soundcloud.com/tracks/119453276" width="100%" height="166" iframe="true" /]

    Page source:

    <iframe width="100%" height="166" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player?url=https%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F119453276"></iframe></p>

    Spot the difference? The latter is trying to fetch the iframe src over http not https! The shortcode plugin isn’t respecting the scheme used to access the page ?? That means at least Firefox will block the content from being loaded by default.

    I’ve proven it would work if the plugin were sensitive to the scheme of the page. I used a post-processing rule on my webserver to re-write all occurrences of https://w.soundcloud.com as https://w.soundcloud.com in the output HTML. When I did this the player appeared correctly in posts using the shortcode.

    Would it be possible for the authors of this plugin to modify it to load soundcloud resources securely when the page scheme is HTTPS?

    The work-around is to embed the iframe code directly into posts for now.

    https://www.ads-software.com/plugins/jetpack/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    Thanks for the report! I took note of the bug here, and we’ll this fixed in a future Jetpack release.

    Thread Starter graphiclunarkid

    (@graphiclunarkid)

    Thanks for picking this up, Jeremy. Let me know if I can help ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Shortcode plugin mixed-content warning on pages served over TLS’ is closed to new replies.