Mixed Content Blocking and Browser Changes for Secure Pages
For many years now, D2L users have been embedding content into their courses from all sorts of web resources. The Learning Environment is a secure website, and much of the external content comes from unsecured sites. Web browsers continue to evolve with how they handle this mixed content on a single page. Recent browser changes have created headaches for many people who like to use mixed content when teaching their online courses. This article below gives you the lay of the land, as of September, 2013.
For a more in-depth look at this new behaviour and how it affects D2L, read this great wiki article by Stephen Gadsby at Millersville University Understanding Mixed Content.
Also, check out the Firefox browser extension that might help you with this issue.
The Internet is Changing
Guest post by Jeff Geurts, Sr. Product Designer at Desire2Learn
Original post in the Desire2Learn Community on September 12, 2013
The internet is changing beneath us, affecting all websites and web applications equally.
In the old days, web browsers would warn or prompt a user on a secure site whenever insecure content was encountered. You might remember these as "mixed content" security warnings. Now, modern browsers are tightening up their security measures against insecure content in an otherwise secure site, refusing to render content from insecure sources embedded via frame, iframe, object, or embed tag. This is the new default behaviour, requiring users to make explicit exceptions or turn off the security measure altogether (not recommended).
Above: Firefox screenshot showing a mixed content warning indicated by a shield icon in the address bar
Here is a great blog article from Firefox with a description of the security changes, and reasons behind them: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/.
How do I know if I'm on a secure site?
Secure sites are those using a Secure Sockets Layer (SSL) that provides extra security measures for the information exchanged between your browser and the internet. These sites will use the https protocol in the address bar instead of http, and most browsers will display a lock icon nearby.
What is impacted in the Learning Suite?
If your Desire2Learn site is secured by SSL, and content in frames is pointing to non-SSL URLs, many browsers will restrict access to the linked content. This is referred to as "Mixed content blocking". These are some of the symptoms that you may see in your Learning Suite:
- Embedded media does not play in Content; accessing the same video from the Links section works
- Link Content topic does not load
- Custom widget does not load
- Embedded YouTube, Vimeo, SlideShare, etc.. widget does not load
- Custom Navbar link to an external site does not load
Which browser versions are now blocking mixed content?
These browsers are known to block non-SSL content from within SSL websites:
- Firefox 23
- Internet Explorer 10
- Chrome 30 (beta)
- Other browsers may be implementing this security feature in future as well, however Safari is currently not blocking mixed content
Most browsers are using a shield icon in (or near) the address bar to indicate when mixed content has been blocked. You can see this in the Firefox screenshot above.
What is Desire2Learn doing about it?
These security changes have been implemented at the browser-level, and are not under the direct control of Desire2Learn. Nevertheless, we are investigating this as a high-priority Usability issue, due to its serious impact to our end users.
We hope to implement features that educate content authors and warn them about mixed content detected in their material at author time, especially when using the HTML Editor or when editing a URL field in a form.
We are also investigating a way to log instances of mixed content encountered by users so that site administrators and instructors are empowered to find and address mixed content proactively.
We will post updates here as we progress toward a solution. Thank you for reading!
This post was written in collaboration with Christine Passmore and Christin Wallace.
Padlock photo shared CC-By Carlos Luz