This issue is part of the series of issues encouraging sites to migrate to SSL and make their sites secure. Loginhttps does NOT make sites secure and will be removed soon (
Using the tool added in
MDL-46269 site admins can convert links to embedded content (such <img>, <video>, <audio>, <iframe>, <embed>) from http to https .
However some filters (including standard plugin filter_mediaplugin) convert links to embedded content on-the-fly. tool_httpsreplace will not pick up these links and convert them.
Filters have to make sure that they never create embedded content pointing to http:// on https site
Suggested solution (please edit later if the actual solution is different):
- When $CFG->wwwroot has https:// and the URL in question is http://
- if the URL can be substituted with https substitute it and proceed with normal filter behavior
- If it can not be substituted - leave it as a link and add a CSS class to the link, something like "non_secure_resource" (please correct) . Add a rule to show red exclamation mark and maybe a help why it is not converted. Otherwise teachers will keep asking why some links are converted and some not.
- In other cases proceed with normal filter behavior
This is where we might need a core API (with caching!) that checks if https://site.com is accessible similar to how tool_httpsreplace does it. We might need to change the code in tool_httpsreplace that calls curl::get_info() to use this API as well.