Broken images in YouTube embedded player when not using SSL




3 years ago
3 years ago


(Reporter: u555207, Unassigned)


({regression, site-compat})

42 Branch
regression, site-compat

Firefox Tracking Flags

(Not tracked)



(2 attachments)



3 years ago
Created attachment 8685565 [details]
Screen Shot 2015-11-10 at 19.53.10.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36

Steps to reproduce:

Create an embedded YouTube video using standard IFRAME player. Use an HTTP address for the video, instead of the SSL equivalent.

Actual results:

When playing the video many of the buttons at the bottom are missing. They can still be clicked and work as normal

Expected results:

Video buttons appear as normal. This works on version 41 and other browsers.

The screenshot shows the issue - the pointer (not visible) is where the fullscreen button should be, hence the tooltip appearing.
Component: Untriaged → Security
Keywords: regression, site-compat
Product: Firefox → Core
I can reproduce the issue. The image can be served only from the HTTPS address as per CORS:

> Access-Control-Allow-Origin:""

Just use HTTPS.
Last Resolved: 3 years ago
Resolution: --- → INVALID

Comment 2

3 years ago
I don't understand why this is resolved. Having the non-SSL links are perfectly valid and it only partials breaks the resulting video output as a result. Are you able to explain to me why you believe this is acceptable?
Reopening, because CORS is not generally required for image loading.  Kohei, can you point me to the exact testcase you used here?
Ever confirmed: true
Flags: needinfo?(kohei.yoshino)
Resolution: INVALID → ---
Created attachment 8686454 [details]
Flags: needinfo?(kohei.yoshino)
Thank you.  So if I download that (because obviously when loaded from Bugzilla the whole iframe is blocked by mixed content blocking) and then open it, I see the controls on the video just fine in both a current nightly and Firefox 42.

David, do you see the problem on Kohei's testcase if you download it?  If not, can you point to a page where you do see the problem?
Flags: needinfo?(david)

Comment 6

3 years ago
Here's an example set up on my test site...

Pressing the play button on the video will reproduce the issue under Firefox 42 (Mac edition for certain, but believe it affects Windows too).
Flags: needinfo?(david)
Thanks.  I tried loading that page in Firefox 42 on Mac with a clean profile.  I don't see the problem being described; all the controls paint just fine...

Just to check, do you see the problem in a clean profile also?
Flags: needinfo?(david)

Comment 8

3 years ago
No, I hadn't. Created a new one and, yes, you're right it worked. This was reported to me as I'm the developer of a popular YouTube plugin in WordPress and other users are seeing this result. Is my answer to tell them all to create a brand new profile? It seems a little extreme.

I don't use Firefox usually (sorry) and version 41 installed with a profile. When a user reported this issue I upgraded it to 42 (force upgraded by downloading and installing 42 over the top). That's been my profile usage. Could this be something to do with the upgrade process?
Flags: needinfo?(david)
Possible, but fairly unlikely.  I assume you have no extensions installed, right?

Does copying the "prefs.js" file from the non-working profile to the working one make the working one not work?  If so, would you mind attaching that "prefs.js" file to this bug report using ?
I thought I'd reproduced this with the link in comment #6, but I had HTTPS Everywhere upgrading the iframe to https; disabling it caused the images to appear.  (It also works with HTTPS Everywhere enabled if I edit the iframe's src property to use https initially.)  So this might not be useful, but something I noticed: it looks like the images are inline SVG, and they're present in the DOM in all cases, but failed to render only when the iframe had been upgraded by HTTPS Everywhere.

Comment 11

3 years ago
(In reply to Boris Zbarsky [:bz] from comment #9)
> Possible, but fairly unlikely.  I assume you have no extensions installed,
> right?
> Does copying the "prefs.js" file from the non-working profile to the working
> one make the working one not work?  If so, would you mind attaching that
> "prefs.js" file to this bug report using
> ?

Unfortunately, I messed up by deleting the original profile. I've tried recreating the issue by wiping my setup, re-installing 41, browsing around, installing 42 over the top and... it didn't recreate. Apologies.

Comment 12

3 years ago
I've got this problem in Firefox 43.0.1 on Windows 7. However, it looks like it doesn't matter if http or https is used, with both the controls are invisible. But it seems to be site-specific.

I can see the controls just fine on Twitter (for example ) and on the news-pages of (for example ). But on the forum there, it's a different matter. There the controls are invisible. For example: This example uses a https link to the video.

Comment 13

3 years ago
Hmm, can't edit my reply. Just noticed the same at , thought it was only at

Comment 14

3 years ago
Thanks for filing the bug. As far as I can tell, this is a duplicate of Bug 1247733.
Feel free to open if this is not correct.
Last Resolved: 3 years ago3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1247733
You need to log in before you can comment on or make changes to this bug.