Youtube Iframe on HTTPS website

2019-03-27 07:31发布

问题:

I included an iframe pointing to a youtube video on a website using https. Although I embedded the youtube video with "https://", the video loads http-files when I click on play, rendering the browser security icon "unsafe". How do I force youtube to only load https files?

My embed HTML:

<iframe id="ytplayer" type="text/html" width="480" height="360" src="//www.youtube.com/embed/-ZUrjLs48a8" frameBorder="0" allowfullscreen></iframe>

回答1:

Add a origin parameter to your URL as explained from the Google api documentation: YouTube Player API Reference for iframe Embeds

As an extra security measure, you should also include the origin parameter to the URL, specifying the URL scheme (http:// or https://) and full domain of your host page as the parameter value. While origin is optional, including it protects against malicious third-party JavaScript being injected into your page and hijacking control of your YouTube player.

 <iframe id="player" type="text/html" width="640" height="390"
  src="http://www.youtube.com/embed/u1zgFlCw8Aw?enablejsapi=1&origin=http://example.com"
  frameborder="0"></iframe>