Issues with web browsers not displaying some content

=What’s the Issue?=

Firefox, Chrome, and Internet Explorer have released new versions that establish new and more restrictive rules for links, embedded items, and other web content. As a result, web browsers now decline to open or load parts (or all of) pages that used to work in the past. Web browsers now block some ‘mixed content’, which you can read more about below.

=Impact on You=

When viewing pages in VIULearn (Desire2Learn), and everywhere else for that matter, some links may not work, some videos may not play, and some activities may not work.

=What can I do about this right now?=

When viewing web pages from organizations that you trust, you can choose to allow mixed content to work by,

Chrome - When viewing a web page that contains mixed content, a small icon of a shield will appear at the right end of the address bar.


 * Click the shield.
 * Select "Load unsafe script".

Firefox - When viewing a web page that contains mixed content, a small icon of a shield will appear at the left end of the address bar.


 * Click the shield.
 * Click the "more actions" arrow.
 * Select "Disable Protection on this page".

Internet Explorer - When viewing a web page that contains mixed content, a popup will appear at the bottom of the page that says "Only secure content is displayed".


 * Click "Show all content".

Safari - Safari does not block mixed content…yet.

=Further Information for Students and Instructors=

What is mixed content?
Mixed content is non-secure web content included on a secure web page. Most content travels from web servers to web browsers (and back) over the Hyper Text Transfer Protocol (HTTP). HTTP works well for basic content, but as HTTP does not provide any protection from possible high tech eavesdroppers along the paths content takes as it crosses the Internet, HTTP isn't sufficient for online shopping, banking, or coursework.

Web servers, including VIULearn’s (Desire2Learn), that exchange more sensitive information with web browsers do so over a secure variant of the Hyper Text Transfer Protocol know as HTTPS. HTTPS uses an encryption technology known as Secure Socket Layers (SSL) to protect content as it crosses the Internet.

A secure web page, one encrypted with SSL and transferred over HTTPS, that contains some non-secure, non-encrypted items is said to be made up of mixed content, both secure and insecure.

What types of mixed content are blocked?
Browser makers started by making their web browsers block mixed active content. Mixed active content includes:


 * links
 * scripts
 * external style sheets
 * two methods of embedding items: iframes and objects

Why block mixed content?
Mixed content web pages can appear completely protected and safe to those who visit them while actually exposing every visitor to possible information theft. In the past, web browsers displayed warning messages about mixed content pages, but these messages were often dismissed by users without being read. So, in response to continued growth in the number of cases of credit card and identity theft, web browser makers decided to be more firm and block insecure items on secure web pages.

Why is VIULearn (Desire2Learn) affected?
To protect grades, student work, and faculty-created content within VIULearn (Desire2Learn), all communication between web browsers and the Desire2Learn servers is secure, made through HTTPS. A link to, or embed from, another web site though, can be secure (HTTPS) or insecure (HTTP) depending upon how the other server, the one hosting the item, has been configured.

Are systems other than VIULearn (Desire2Learn) affected?
Yes. The effects of mixed content blocking affect everything on the Internet. Web services that provide embeddable content using the insecure, HTTP method, as YouTube does, have begun seeking ways to offer that content via HTTPS so it can continue to be used.

In VIULearn (Desire2Learn), is only the Content tool affected?
No. Despite this browser change being about "mixed content", the change affects every tool within Desire2Learn.

What links in VIULearn (Desire2Learn) are blocked by web browsers now?
A link within Desire2Learn is blocked by browsers when both of the following are true for that link:


 * the link is to an insecure web site
 * the link is not set to open in a new window (or tab)

How can I tell if a link leads to a secure or an insecure web page?

 * Links that begin with "https:" go to secure sites.
 * Links that begin with "http:" go to insecure sites.

How can I set a link to open in a new window (or tab)?
When you create a new URL QuickLink, VIULearn (Desire2Learn) offers three "Open In" options for the link:


 * Whole Window
 * Same Frame
 * New Window

Choose "New Window".

Why can't I choose "Whole Window" or "Same Frame" for links to insecure (http:) web pages?
Both "Whole Window" and "Same Frame" open the insecure web page inside VIULearn (Desire2Learn's) own, secure web page. That would create a mixed content page, so web browsers block the opening of the link now.

Can I choose "Whole Window" or "Same Frame" for links to secure (https:) web pages?
Yes.

Can I change "http:" to "https:" to make my links secure?
In most cases, this will not work. Some web sites do offer their web pages over both HTTP and HTTPS though, so feel free to try it. This appears to work in many cases for YouTube content.

Be sure to test your edited link to see if it works. If it doesn't, you will need to change the link back to "http:".

What embedded items in VIULearn (Desire2Learn) are blocked by web browsers now?
An embedded item within VIULearn (Desire2Learn) is blocked by browsers when both of the following are true for that item:


 * the embedded item comes from an insecure web site
 * the embed is accomplished using:
 * an &lt;iframe&gt;
 * an &lt;object&gt; tag with a data attribute

How can I tell if the embed comes from a secure or an insecure web page?
You will need to look at the item's embed code. Within the embed code, look for URLs.


 * URLs that begin with "https:" are for secure sites.
 * URLs that begin with "http:" are for insecure sites.

Can I change "http:" URLs to "https:" URLs to make my embed codes secure?
In most cases, this will not work. Some web sites do offer their embeddable content via both HTTP and HTTPS though, so feel free to try it. For instance, this works for some YouTube videos. Please look carefully at your embed codes, as many contain multiple URLs. Be sure to edit all of them. Be sure to thoroughly test your edited embed code to see if it works. If it doesn't, you will need to change the URLs in the embed code back to "http:".

Some embed codes contain multiple sections, with each section designed for use by different web browsers. Therefore, testing an embedded item in just one or two web browsers can be insufficient to prove an edit successful.

How should I embed YouTube videos?
Do not use the "YouTube" option within Insert Stuff. The YouTube option in the left column of the Insert Stuff window creates embedded items using &lt;iframe&gt; tags. iframes are now blocked by browsers.

Instead, choose the "Enter Embed Code" option from the left column of the Insert Stuff window. This will provide you with a text box into which you may paste embed code from YouTube.

To get the embed code for a YouTube video:


 * On YouTube.com, open the page for the video you wish to embed.
 * On that page, under the video, click the "Share" tab.
 * On the Share tab, click "Embed". By default YouTube now provides an &lt;iframe&gt;-based embed code. Do not use this embed code. Instead, continue on with these instructions.
 * Under the text box that contains embed code, choose size you wish to embed.
 * Also under the text box that contains embed code, check the box for "Use old embed code".
 * If the "Use HTTPS" option is available, check that box as well.

As an instructor in one or more courses, how may I fix my content?
Please see the information above regarding links and embeds. If you require additional guidance as you update your content, please contact learnsupport@ viu.ca

Content courtesy of Millersville University in sunny Pennsylvania.