buro9

This is a great move and has inspired me to think of how I can do this for the sites I run.

The problem I have is that I run forums which accept user generated content, and the links in the content are then parsed and embeds are put in.

For example, YouTube links have the embedded video put below to the link.

YouTube support https, but a lot of smaller sites that offer really useful tools don't yet support https. An example is something like http://www.bikely.com which does not support https at all, and yet the embedded maps are common enough on the cycling forums I run.

I cannot just proxy via a https domain as these sites usually have JavaScript that require permission to talk to their own domains.

I've decided to start emailing all of the 3rd parties to ask that they add https to their site.

Almost 40% of my traffic is now over https, and it's harder to increase that as every time I try to I receive support complaints about mixed-content warnings, missing content, etc.

If you also run a site that has embeds in user generated content, please consider emailing the 3rd parties and explaining why they should move to https.

There are only a few things holding back a lot of sites and it's no longer the cost of a cert and SSL termination:

1) Embedded widgets that are http only today

2) Advert widgets/scripts that are http only today

Those things hold the vast majority of news sites back too. I even checked the Guardian yesterday and no https available. The only news site that was https was The Verge, but I'm not sure tech news is really news.

hrrsn

Replacing embeds with plain hyperlinks seems like it would be better from a user privacy perspective.

JoshTriplett

Or at the very least with iframes. If you run a forum and you're allowing directly embedded content, you're trusting that content not to break your security.

buro9
I use Markdown for user content, this is passed through a Go library I wrote to strip out iframes, embeds, etc... https://github.com/microcosm-cc/bluemonday and then as a post-processing task once I trust the content, I find the links that I know how to handle (YouTube, Bikely, etc) and embed third party content in iframes.

This is basically a way to do the equivalent of Twitter cards, it respects the JavaScript and web security model, but does mean that the iframes contain http content on a page that is https

Where I'm trying to get to is to have all iframes, etc be https