HTTPS Support for YouTube Embeds
February 9th, 2011 | Published in Youtube API
HTTPS, the secure counterpart to HTTP, wraps a layer of encryption around the information traveling between your computer and a web server. YouTube already uses HTTPS to encrypt sensitive data during the account login process. Now we’re planning a gradual expansion of HTTPS across other aspects of the site. The first place you may see HTTPS YouTube URLs is in our various embed codes, all of which currently support HTTPS in addition to the standard HTTP. Anyone can try HTTPS with YouTube embeds today—simply change the protocol portion of the URL from http to https. For example, http://www.youtube.com/embed/Zhawgd0REhA becomes https://www.youtube.com/embed/Zhawgd0REhA. This applies to URLs found in our newer embeds as well as our older-style object> + embed> codes.
If any of your existing code attempts to parse YouTube embed URLs that are entered by end-users, it’s important that you support both HTTP and HTTPS as the URL’s protocol across all the varieties of YouTube embed codes.
Most web browsers will warn users when they access web pages via HTTPS that contain embedded content loaded via HTTP. If your main site is currently accessed via HTTPS, using the new HTTPS URLs for your YouTube embeds will prevent your users from running into that warning. If your site can be accessed either via HTTP or HTTPS, you could employ protocol-relative URLs instead of hardcoding a value; //www.youtube.com/ will automatically resolve to HTTP or HTTPS depending on the protocol used by the host page.
It’s very important to note that this is just a first step in enabling HTTPS for the entire YouTube viewing experience. In particular, only the YouTube player code is accessible via HTTPS at this time. The actual video bitstream, and some additional content loaded by the YouTube player may still be accessed via standard HTTP connections when you use an HTTPS URL in your embed code. Also note that HTTPS remains optional for YouTube embeds; we have no plans to turn off support for the HTTP URLs.
If you have any comments or questions about this change, please let us know in the YouTube API developer’s forum.
Cheers,
–Jeff Posnick, YouTube API Team