From 87397cb313bee2eb1128bbbdb055a068e4f14ad0 Mon Sep 17 00:00:00 2001 From: Diederik van der Boor Date: Sun, 20 Nov 2016 17:19:06 +0100 Subject: [PATCH] Make sure oembed items generate HTTPS links on an https-only website. --- docs/plugins/oembeditem.rst | 14 ++++++++++++-- fluent_contents/plugins/oembeditem/appsettings.py | 3 +++ fluent_contents/plugins/oembeditem/models.py | 5 ++++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/plugins/oembeditem.rst b/docs/plugins/oembeditem.rst index 1143207a..602c6aa4 100644 --- a/docs/plugins/oembeditem.rst +++ b/docs/plugins/oembeditem.rst @@ -1,7 +1,7 @@ .. _oembeditem: The oembeditem plugin -=========================== +===================== The `oembeditem` plugin allows inserting an embedded online content in the page, such as a YouTube video, SlideShare presentation, Twitter status, Flickr photo, etc.. @@ -78,8 +78,9 @@ The following settings are available: (r'http://\S+.wp\.me/\S*', 'http://public-api.wordpress.com/oembed/?for=my-domain-name'), ) - MICAWBER_EMBEDLY_KEY = '' + FLUENT_OEMBED_FORCE_HTTPS = False + MICAWBER_EMBEDLY_KEY = '' FLUENT_OEMBED_PROVIDER_LIST = ( (r'https?://(www\.)?youtube\.com/watch\S*', 'http://www.youtube.com/oembed'), @@ -114,6 +115,15 @@ The OEmbed providers in this setting will be added to the existing set that ``FL Each item is a tuple with the regular expression and endpoint URL. +FLUENT_OEMBED_FORCE_HTTPS +~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 1.1.9 + +Enforce that the generated embed URLs are served over secure HTTP. +This flag is enabled by default when :django:setting:`SECURE_SSL_REDIRECT` is set. + + MICAWBER_EMBEDLY_KEY ~~~~~~~~~~~~~~~~~~~~ diff --git a/fluent_contents/plugins/oembeditem/appsettings.py b/fluent_contents/plugins/oembeditem/appsettings.py index 2af4f507..2a9758a2 100644 --- a/fluent_contents/plugins/oembeditem/appsettings.py +++ b/fluent_contents/plugins/oembeditem/appsettings.py @@ -8,6 +8,9 @@ # Allow to extend any source, whether it's basic/embedly/noembed/list FLUENT_OEMBED_EXTRA_PROVIDERS = tuple(getattr(settings, 'FLUENT_OEMBED_EXTRA_PROVIDERS', ())) +# Make sure embed are https, when the site is hosted via https. +FLUENT_OEMBED_FORCE_HTTPS = getattr(settings, 'FLUENT_OEMBED_FORCE_HTTPS', getattr(settings, 'SECURE_SSL_REDIRECT', False)) + # Before micawber 0.2.6 the default source was "list". # However, micawber contains a more up-to-date list nowadays, so it doesn't make sense to keep a list here. FLUENT_OEMBED_PROVIDER_LIST = getattr(settings, 'FLUENT_OEMBED_PROVIDER_LIST', ()) diff --git a/fluent_contents/plugins/oembeditem/models.py b/fluent_contents/plugins/oembeditem/models.py index 85208275..c7406a33 100644 --- a/fluent_contents/plugins/oembeditem/models.py +++ b/fluent_contents/plugins/oembeditem/models.py @@ -6,7 +6,7 @@ from micawber import ProviderException from fluent_contents.models.db import ContentItem from fluent_contents.plugins.oembeditem.fields import OEmbedUrlField -from fluent_contents.plugins.oembeditem import backend +from fluent_contents.plugins.oembeditem import backend, appsettings @python_2_unicode_compatible @@ -77,6 +77,9 @@ def update_oembed_data(self, force=False, **backend_params): .. versionadded:: 1.0 Added force and backend_params parameters. """ + if appsettings.FLUENT_OEMBED_FORCE_HTTPS and self.embed_url.startswith('http://'): + self.embed_url = 'https://' + self.embed_url[7:] + if force or self._input_changed(): # Fetch new embed code params = self.get_oembed_params(self.embed_url)