From 3450a81766d955101b9ad52511dad4b1a4500d63 Mon Sep 17 00:00:00 2001
From: Ernie Park <eipark@mit.edu>
Date: Mon, 6 Feb 2012 11:00:07 -0500
Subject: [PATCH 1/3] fix origin to add the protocol and //

---
 video_init.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/video_init.js b/video_init.js
index e3b11302df..44f759b248 100644
--- a/video_init.js
+++ b/video_init.js
@@ -9,14 +9,14 @@ if (swfobject.hasFlashPlayerVersion("10.1")){
         "ytapiplayer", "640", "385", "8", null, null, params, atts);
 } else {
 
-  $("#html5_player").attr("src", "http://www.youtube.com/embed/" + streams["1.0"] + "?enablejsapi=1&controls=0&origin=" + document.domain);
+  //end of this URL may need &origin=http://..... once pushed to production to prevent XSS
+  $("#html5_player").attr("src", "http://www.youtube.com/embed/" + streams["1.0"] + "?enablejsapi=1&controls=0&origin=" + document.location.protocol + "//" + document.domain);
   $("#html5_player").show();
 
   var tag = document.createElement('script');
   tag.src = "http://www.youtube.com/player_api";
   var firstScriptTag = document.getElementsByTagName('script')[0];
   firstScriptTag.parentNode.insertBefore(tag, firstScriptTag);
-
   // Make sure the callback is called once API ready, YT seems to be buggy
   loadHTML5Video();
 }

From 2ff504e8816dfbcb28740cd0bd4037f1b4a9bbce Mon Sep 17 00:00:00 2001
From: Ernie Park <eipark@mit.edu>
Date: Mon, 6 Feb 2012 11:05:29 -0500
Subject: [PATCH 2/3] try removing origin altogether from html5 video

---
 video_init.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/video_init.js b/video_init.js
index 44f759b248..03a5b040d6 100644
--- a/video_init.js
+++ b/video_init.js
@@ -10,7 +10,7 @@ if (swfobject.hasFlashPlayerVersion("10.1")){
 } else {
 
   //end of this URL may need &origin=http://..... once pushed to production to prevent XSS
-  $("#html5_player").attr("src", "http://www.youtube.com/embed/" + streams["1.0"] + "?enablejsapi=1&controls=0&origin=" + document.location.protocol + "//" + document.domain);
+  $("#html5_player").attr("src", "http://www.youtube.com/embed/" + streams["1.0"] + "?enablejsapi=1&controls=0");
   $("#html5_player").show();
 
   var tag = document.createElement('script');

From 15d339ba3e2a3cac0699cd7c2f7e57b2a670e074 Mon Sep 17 00:00:00 2001
From: Ernie Park <eipark@mit.edu>
Date: Mon, 6 Feb 2012 11:19:17 -0500
Subject: [PATCH 3/3] add document.location.protocol to src of html5 youtube
 video

---
 video_init.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/video_init.js b/video_init.js
index 03a5b040d6..bf1b4bf5b7 100644
--- a/video_init.js
+++ b/video_init.js
@@ -10,7 +10,7 @@ if (swfobject.hasFlashPlayerVersion("10.1")){
 } else {
 
   //end of this URL may need &origin=http://..... once pushed to production to prevent XSS
-  $("#html5_player").attr("src", "http://www.youtube.com/embed/" + streams["1.0"] + "?enablejsapi=1&controls=0");
+  $("#html5_player").attr("src", document.location.protocol +  "//www.youtube.com/embed/" + streams["1.0"] + "?enablejsapi=1&controls=0");
   $("#html5_player").show();
 
   var tag = document.createElement('script');