To ease the process of updating a moodle site from http to https (enabling ssl) we are going to develop a tool or filter to convert external embedded content (images, scripts, frames) from http to https.
We have a four options:
- Filter with manual blacklist
A filter will be run, replacing urls on every page load. Admins will need to manage a blacklist of sites that do not support SSL, so that the filter will not change them to https.
Pros: Database is left unchanged. If you later add http content, it will still work. You have more flexibility to change your site back and forth between http and https.
Cons: Slight performance hit from running on every page load - Filter with automatic blacklist
Same as above but the blacklist will be updated automatically every night by a scheduled task. It will search the database for every external embeded link and check if the site supports SSL. Any site that does not will be added to the black list.
Pros: Admins do not need to manually update blacklist
Cons: Performance impact (although it can be scheduled outside of peak times). Longer development time - Admin tool with manual blacklist
An admin tool would be available to replace the links in the database. This will only need to be run once (when the site is changed from http to https), so will not impact performance.
Pros: Cheaper performance
Cons: If you add http content after running the tool, it will not work so this option would require a warning in editors. - Admin tool with automatic blacklist
Same as above, but the tool would check what sites do and do not support SSL when it is run.
Pros: Admins do not need to manually update blacklist
Cons: Slightly slower than #3
Another consideration is whether we should include the content from sites that do not have SSL anyway (potentially releasing session information) or just not include the content at all. It is also possible this should be configured on a per-site basis.
Personally I am leaning towards option number 4 with options to either include or skip content from non-SSL sites on a per-site basis
For those interested, this has become a priority due to the impending removal of loginhttps, which is expected to cause admins to upgrade their moodle sites from authentication-only SSL to site-wide SSL. This feature will make the transition easier. You can read the discussion about loginhttps here.