Youtube oEmbed handlers should be HTTPS

[tollmanz]

All of the handlers for Youtube oEmbeds utilize HTTP URIs. The HTTP URIs redirect to HTTPS. The URIs should be hardcoded has HTTPS.

This is beneficial for performance (i.e., removes a costly redirect) and security (i.e., mitigates a person in the middle opportunity).

The URIs I am referring to are:

'#http://((m|www)\.)?youtube\.com/watch.*#i'          => array( 'http://www.youtube.com/oembed',                             true  ),
'#https://((m|www)\.)?youtube\.com/watch.*#i'         => array( 'http://www.youtube.com/oembed?scheme=https',                true  ),
'#http://((m|www)\.)?youtube\.com/playlist.*#i'       => array( 'http://www.youtube.com/oembed',                             true  ),
'#https://((m|www)\.)?youtube\.com/playlist.*#i'      => array( 'http://www.youtube.com/oembed?scheme=https',                true  ),
'#http://youtu\.be/.*#i'                              => array( 'http://www.youtube.com/oembed',                             true  ),
'#https://youtu\.be/.*#i'                             => array( 'http://www.youtube.com/oembed?scheme=https',                true  )

Additionally, this is a great first patch ticket.

[SergeyBiryukov]

Previously: #18719, #23149.

[Otto42]

On the whole, I think we should default to always using https when possible. So, if an https version exists, always use it.

[zsusag]

Hardcoded all YouTube oembed links to use https instead of http.

[thomaswm]

Related: #28507

[swissspidy]

Thanks for your patch, @thomaswm!

Since #28507 is an ongoing ticket for secure embeds, I am closing this ticket here as a duplicate. Of course the patch is perfectly fine and we can continue working on that in the other ticket.

[johnbillion]

In 38365:

Embeds: Always use the HTTPS endpoint for YouTube embeds. The scheme parameter is no longer required as all YouTube assets now use HTTPS.

See #36274, #28507
Props zsusag, tollmanz