The Pilot Learning Environment is a secure website, and many external web sites linked to from the Content area in courses come from unsecured sites. Web browsers continue to evolve with how they handle this mixed content on a single page. Recent browser changes have created headaches for many people who like to use mixed content when teaching their online courses. This article below describes the issue in greater depth.
The Internet is Changing
Guest post by Jeff Geurts, Sr. Product Designer at Desire2Learn
The internet is changing beneath us, affecting all websites and web applications equally.
In the old days, web browsers would warn or prompt a user on a secure site whenever insecure content was encountered. You might remember these as “mixed content” security warnings. Now, modern browsers are tightening up their security measures against insecure content in an otherwise secure site, refusing to render content from insecure sources embedded via frame, iframe, object, or embed tag. This is the new default behavior, requiring users to make explicit exceptions or turn off the security measure altogether.
Above: Firefox screenshot showing a mixed content warning indicated by a shield icon in the address bar
Here is a great blog article from Firefox with a description of the security changes, and reasons behind them: Mixed Content Blocking Enabled in Firefox 23
How do I know if I’m on a secure site?
Secure sites are those using a Secure Sockets Layer (SSL) that provides extra security measures for the information exchanged between your browser and the internet. These sites will use the https protocol in the address bar instead of http, and most browsers will display a lock icon nearby.
What is impacted in Pilot?
Pilot is secured by SSL, so when a content item is pointing to non-SSL URLs, many browsers will restrict access to the linked content. This is referred to as “Mixed content blocking”. These are some of the symptoms that you may see in your Pilot course:
- Embedded media does not play in Content; accessing the same video from the Links section works
- Link Content topic does not load
- Custom widget does not load
- Embedded YouTube, Vimeo, SlideShare, etc.. widget does not load
- Custom Navbar link to an external site does not load
Which browser versions are now blocking mixed content?
These browsers are known to block non-SSL content from within SSL websites:
- Firefox 23
- Internet Explorer 10
- Chrome 30 (beta)
- Other browsers may be implementing this security feature in future as well, however Safari is currently not blocking mixed content
Most browsers are using a shield icon in (or near) the address bar to indicate when mixed content has been blocked. You can see this in the Firefox screenshot above.
What is Desire2Learn doing about it?
These security changes have been implemented at the browser-level, and are not under the direct control of Desire2Learn. Nevertheless, they are investigating this as a high-priority Usability issue, due to its serious impact to end users.
They hope to implement features that educate content authors and warn them about mixed content detected in their material at author time, especially when using the HTML Editor or when editing a URL field in a form.
They are also investigating a way to log instances of mixed content encountered by users so that site administrators and instructors are empowered to find and address mixed content proactively.