Replace http with https in DefaultPlayerUiController #860

ArcherEmiya05 · 2022-06-13T17:37:36Z

The library uses HTTP not HTTPS

Serkali-sudo · 2022-09-12T17:21:36Z

That is not really a security issue because:

That code is click listener of YouTube button that opens that video on YouTube app or web,And this button only exists on custom design and it doesn't matter because library is using webui as default.Heres original code : DefaultPlayerUiController.kt#97
The library doesn't connect to that link to play video,It uses IFrame Player API which connects to https://www.youtube.com/iframe_api, Heres html page that player is loading : ayp_youtube_player.html
Most of phone has YouTube app installed so even this button sends you to http link it will open on youtube app by default anyways but lets say that phone doesnt have youtube app or it is not default, even then youtube itself will automatically redirect https version of site.

PierfrancescoSoffritti · 2022-09-13T07:51:49Z

I agree this is not a security issue.

I'll rename the issue to keep it as a reminder to replace http with https in the next release.
Thanks @Serkali-sudo for taking a look :)

PierfrancescoSoffritti changed the title ~~Security issue with HTTP~~ Replace http with https in DefaultPlayerUiController Sep 13, 2022

PierfrancescoSoffritti added the enhancement label Sep 13, 2022

PierfrancescoSoffritti added a commit that referenced this issue Mar 25, 2023

Use https when opening YouTube link. Fixes #860

725e7fb

PierfrancescoSoffritti closed this as completed Mar 25, 2023

Provide feedback