Make sure oembed items generate HTTPS links on an https-only website.

arthanson · Nov 20, 2016 · 87397cb · 87397cb
1 parent 9e0caef
commit 87397cb
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/docs/plugins/oembeditem.rst b/docs/plugins/oembeditem.rst
@@ -1,7 +1,7 @@
 .. _oembeditem:
 
 The oembeditem plugin
-===========================
+=====================
 
 The `oembeditem` plugin allows inserting an embedded online content in the page,
 such as a YouTube video, SlideShare presentation, Twitter status, Flickr photo, etc..
@@ -78,8 +78,9 @@ The following settings are available:
         (r'http://\S+.wp\.me/\S*',          'http://public-api.wordpress.com/oembed/?for=my-domain-name'),
     )
 
-    MICAWBER_EMBEDLY_KEY = ''
+    FLUENT_OEMBED_FORCE_HTTPS = False
 
+    MICAWBER_EMBEDLY_KEY = ''
 
     FLUENT_OEMBED_PROVIDER_LIST = (
         (r'https?://(www\.)?youtube\.com/watch\S*',  'http://www.youtube.com/oembed'),
@@ -114,6 +115,15 @@ The OEmbed providers in this setting will be added to the existing set that ``FL
 Each item is a tuple with the regular expression and endpoint URL.
 
 
+FLUENT_OEMBED_FORCE_HTTPS
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 1.1.9
+
+Enforce that the generated embed URLs are served over secure HTTP.
+This flag is enabled by default when :django:setting:`SECURE_SSL_REDIRECT` is set.
+
+
 MICAWBER_EMBEDLY_KEY
 ~~~~~~~~~~~~~~~~~~~~
 

diff --git a/fluent_contents/plugins/oembeditem/appsettings.py b/fluent_contents/plugins/oembeditem/appsettings.py
@@ -8,6 +8,9 @@
 # Allow to extend any source, whether it's basic/embedly/noembed/list
 FLUENT_OEMBED_EXTRA_PROVIDERS = tuple(getattr(settings, 'FLUENT_OEMBED_EXTRA_PROVIDERS', ()))
 
+# Make sure embed are https, when the site is hosted via https.
+FLUENT_OEMBED_FORCE_HTTPS = getattr(settings, 'FLUENT_OEMBED_FORCE_HTTPS', getattr(settings, 'SECURE_SSL_REDIRECT', False))
+
 # Before micawber 0.2.6 the default source was "list".
 # However, micawber contains a more up-to-date list nowadays, so it doesn't make sense to keep a list here.
 FLUENT_OEMBED_PROVIDER_LIST = getattr(settings, 'FLUENT_OEMBED_PROVIDER_LIST', ())

diff --git a/fluent_contents/plugins/oembeditem/models.py b/fluent_contents/plugins/oembeditem/models.py
@@ -6,7 +6,7 @@
 from micawber import ProviderException
 from fluent_contents.models.db import ContentItem
 from fluent_contents.plugins.oembeditem.fields import OEmbedUrlField
-from fluent_contents.plugins.oembeditem import backend
+from fluent_contents.plugins.oembeditem import backend, appsettings
 
 
 @python_2_unicode_compatible
@@ -77,6 +77,9 @@ def update_oembed_data(self, force=False, **backend_params):
 
         .. versionadded:: 1.0 Added force and backend_params parameters.
         """
+        if appsettings.FLUENT_OEMBED_FORCE_HTTPS and self.embed_url.startswith('http://'):
+            self.embed_url = 'https://' + self.embed_url[7:]
+
         if force or self._input_changed():
             # Fetch new embed code
             params = self.get_oembed_params(self.embed_url)