mahara-contributors team mailing list archive

[Aaron Wells <1211583@xxxxxxxxxxxxxxxxxx>]

It's true that you don't enter protocols to the URLs on the "Allowed
iframe sources" page (admin/extensions/iframesites.php).

BUT, the important bit is whether the protocols are present in:

1. The URLs that people have pasted into external content blocks
2. The embed code HTML that people have pasted into external content blocks

Actually, the way the code is currently written, we FORCE people to
include a protocol in the external content block, whether they enter a
URL or a full embed code (in which case each URL in it needs the
protocol).

We will need to do a find/replace for URLs with the wrong protocol, and
turn them to protocol-relative URLs (and update our htmlpurifier and
other code, to accept protocol-relative URLs), or to protocols with the
site's current URL. This find/replace could either be when the user
enters the data (and update all the data in exising blocks using an
update script), or it could be when we're rendering the block. I'm not
sure which approach exactly would be best, at this point.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1211583

Title:
  Mixed content blocked

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Firefox 23 has a new "mixed content blocked" security feature (see
  https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-
  in-firefox-aurora/ for more information).

  It prohibits https sites to see (some) http content. For example,
  YouTube videos or SlideShare content on a http://URL is not displayed
  when the Mahara page is on https.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1211583/+subscriptions