Closed Bug 1223515 Opened 4 years ago Closed 4 years ago

Broken images in YouTube embedded player when not using SSL

Categories

(Core :: Security, defect)

42 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1247733

People

(Reporter: u555207, Unassigned)

Details

(Keywords: regression, site-compat)

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36

Steps to reproduce:

Create an embedded YouTube video using standard IFRAME player. Use an HTTP address for the video, instead of the SSL equivalent.


Actual results:

When playing the video many of the buttons at the bottom are missing. They can still be clicked and work as normal


Expected results:

Video buttons appear as normal. This works on version 41 and other browsers.

The screenshot shows the issue - the pointer (not visible) is where the fullscreen button should be, hence the tooltip appearing.
Component: Untriaged → Security
Product: Firefox → Core
I can reproduce the issue. The image can be served only from the HTTPS address as per CORS:

> Access-Control-Allow-Origin:"https://www.youtube.com"

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Just use HTTPS.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
I don't understand why this is resolved. Having the non-SSL links are perfectly valid and it only partials breaks the resulting video output as a result. Are you able to explain to me why you believe this is acceptable?
Reopening, because CORS is not generally required for image loading.  Kohei, can you point me to the exact testcase you used here?
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(kohei.yoshino)
Resolution: INVALID → ---
Attached file testcase
Flags: needinfo?(kohei.yoshino)
Thank you.  So if I download that (because obviously when loaded from Bugzilla the whole iframe is blocked by mixed content blocking) and then open it, I see the controls on the video just fine in both a current nightly and Firefox 42.

David, do you see the problem on Kohei's testcase if you download it?  If not, can you point to a page where you do see the problem?
Flags: needinfo?(david)
Here's an example set up on my test site...

http://artiss.co.uk/sandbox/blog/2015/11/12/youtube-ssl-firefox-demo/

Pressing the play button on the video will reproduce the issue under Firefox 42 (Mac edition for certain, but believe it affects Windows too).
Flags: needinfo?(david)
Thanks.  I tried loading that page in Firefox 42 on Mac with a clean profile.  I don't see the problem being described; all the controls paint just fine...

Just to check, do you see the problem in a clean profile also?
Flags: needinfo?(david)
No, I hadn't. Created a new one and, yes, you're right it worked. This was reported to me as I'm the developer of a popular YouTube plugin in WordPress and other users are seeing this result. Is my answer to tell them all to create a brand new profile? It seems a little extreme.

I don't use Firefox usually (sorry) and version 41 installed with a profile. When a user reported this issue I upgraded it to 42 (force upgraded by downloading and installing 42 over the top). That's been my profile usage. Could this be something to do with the upgrade process?
Flags: needinfo?(david)
Possible, but fairly unlikely.  I assume you have no extensions installed, right?

Does copying the "prefs.js" file from the non-working profile to the working one make the working one not work?  If so, would you mind attaching that "prefs.js" file to this bug report using https://bugzilla.mozilla.org/attachment.cgi?bugid=1223515&action=enter ?
I thought I'd reproduced this with the link in comment #6, but I had HTTPS Everywhere upgrading the iframe to https; disabling it caused the images to appear.  (It also works with HTTPS Everywhere enabled if I edit the iframe's src property to use https initially.)  So this might not be useful, but something I noticed: it looks like the images are inline SVG, and they're present in the DOM in all cases, but failed to render only when the iframe had been upgraded by HTTPS Everywhere.
(In reply to Boris Zbarsky [:bz] from comment #9)
> Possible, but fairly unlikely.  I assume you have no extensions installed,
> right?
> 
> Does copying the "prefs.js" file from the non-working profile to the working
> one make the working one not work?  If so, would you mind attaching that
> "prefs.js" file to this bug report using
> https://bugzilla.mozilla.org/attachment.cgi?bugid=1223515&action=enter ?

Unfortunately, I messed up by deleting the original profile. I've tried recreating the issue by wiping my setup, re-installing 41, browsing around, installing 42 over the top and... it didn't recreate. Apologies.
I've got this problem in Firefox 43.0.1 on Windows 7. However, it looks like it doesn't matter if http or https is used, with both the controls are invisible. But it seems to be site-specific.

I can see the controls just fine on Twitter (for example https://twitter.com/ImVictoriaPratt/status/693188987792576512 ) and on the news-pages of Tweakers.net (for example http://tweakers.net/geek/108123/robot-sub1-lost-rubiks-kubus-in-887-milliseconden-op.html ). But on the forum there, it's a different matter. There the controls are invisible. For example: http://gathering.tweakers.net/forum/view_message/45699521 This example uses a https link to the video.
Hmm, can't edit my reply. Just noticed the same at http://frontpage.fok.nl/nieuws/728116/1/1/100/laatste-trailer-voor-batman-v-superman.html , thought it was only at http://gathering.tweakers.net
Thanks for filing the bug. As far as I can tell, this is a duplicate of Bug 1247733.
Feel free to open if this is not correct.
Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1247733
You need to log in before you can comment on or make changes to this bug.