Browser icons and padlock - representing mixed content blocking on the web

Posted by & categorized under Technical, Tips & Tricks.

For many years now, D2L users have been embedding content into their courses from all sorts of web resources. The Learning Environment is a secure website, and much of the external content comes from unsecured sites. Web browsers continue to evolve with how they handle this mixed content on a single page. Recent browser changes have created headaches for many people who like to use mixed content when teaching their online courses. This article below gives you the lay of the land, as of September, 2013.

For a more in-depth look at this new behaviour and how it affects D2L, read this great wiki article by Stephen Gadsby at Millersville University Understanding Mixed Content.

Also, check out the Firefox browser extension that might help you with this issue.


The Internet is Changing

Jeff Geurts, Senior Product Designer, Desire2LearnGuest post by Jeff Geurts, Sr. Product Designer at Desire2Learn

The internet is changing beneath us, affecting all websites and web applications equally.

In the old days, web browsers would warn or prompt a user on a secure site whenever insecure content was encountered. You might remember these as “mixed content” security warnings. Now, modern browsers are tightening up their security measures against insecure content in an otherwise secure site, refusing to render content from insecure sources embedded via frame, iframe, object, or embed tag. This is the new default behaviour, requiring users to make explicit exceptions or turn off the security measure altogether (not recommended).

Screenshot of mixed content message in Firefox

Above: Firefox screenshot showing a mixed content warning indicated by a shield icon in the address bar

Here is a great blog article from Firefox with a description of the security changes, and reasons behind them: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/.

How do I know if I’m on a secure site?

Secure sites are those using a Secure Sockets Layer (SSL) that provides extra security measures for the information exchanged between your browser and the internet. These sites will use the https protocol in the address bar instead of http, and most browsers will display a lock icon nearby.

What is impacted in the Learning Suite?

If your Desire2Learn site is secured by SSL, and content in frames is pointing to non-SSL URLs, many browsers will restrict access to the linked content. This is referred to as “Mixed content blocking”. These are some of the symptoms that you may see in your Learning Suite:

  • Embedded media does not play in Content; accessing the same video from the Links section works
  • Link Content topic does not load
  • Custom widget does not load
  • Embedded YouTube, Vimeo, SlideShare, etc.. widget does not load
  • Custom Navbar link to an external site does not load

Which browser versions are now blocking mixed content?

These browsers are known to block non-SSL content from within SSL websites:

  • Firefox 23
  • Internet Explorer 10
  • Chrome 30 (beta)
  • Other browsers may be implementing this security feature in future as well, however Safari is currently not blocking mixed content

Most browsers are using a shield icon in (or near) the address bar to indicate when mixed content has been blocked. You can see this in the Firefox screenshot above.

What is Desire2Learn doing about it?

These security changes have been implemented at the browser-level, and are not under the direct control of Desire2Learn. Nevertheless, we are investigating this as a high-priority Usability issue, due to its serious impact to our end users.

We hope to implement features that educate content authors and warn them about mixed content detected in their material at author time, especially when using the HTML Editor or when editing a URL field in a form.

We are also investigating a way to log instances of mixed content encountered by users so that site administrators and instructors are empowered to find and address mixed content proactively.

Stay Tuned

We will post updates here as we progress toward a solution. Thank you for reading!

We have also created a discussion thread in the D2L Community Forums (login required).

This post was written in collaboration with Christine Passmore and Christin Wallace.


Padlock photo shared CC-By Carlos Luz

Browser icons shared freely through Icon Archive by creator Martz90

Barry Dahl

Barry Dahl began working as the Sr. Community Manager at Desire2Learn in May 2012. Barry previously served as the Vice President of Technology and Lake Superior Connect e-Campus at Lake Superior College in Duluth, MN, where he was the senior administrator in charge of online learning. He has a total of 27 years of work experience within higher education, and also milked his college student career for as long as he possibly could.
View all posts by Barry Dahl

One Comment

  1. Hi Barry/Jeff,
    we’ve been seeing this issue with our users at our institution (Nottingham Trent Uni). For Youtube content we’ve been advising users to add the ‘s’ to the ‘http’ using the code editor as a work-around to stop the content being blocked (as Youtube supprts SSL).
    We’ve noted that in SP4 for 10.2 ‘Inser Stuff’ has been tweaked to use SSL with Youtube content so it’s great to see D2L are responding quickly to these types of issue.

    Reply

Trackbacks/Pingbacks

  1.  Issue No.87: Embedded content not displaying in CloudDeakin | Learning Innovations

Leave a Reply

  • (will not be published)