[wp-trac] [WordPress Trac] #44610: Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

Mon Jan 18 10:38:58 UTC 2021

#44610: Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting
cookies.
-------------------------------------+----------------------------
 Reporter:  jepperask                |       Owner:  williampatton
     Type:  enhancement              |      Status:  assigned
 Priority:  normal                   |   Milestone:  5.7
Component:  Embeds                   |     Version:  4.9.7
 Severity:  normal                   |  Resolution:
 Keywords:  needs-testing has-patch  |     Focuses:  privacy
-------------------------------------+----------------------------

Comment (by adakaleh):

 Replying to [comment:34 xkon]:
 > if by according to the tests by @BjornW using the youtube-nocookie URL
 everything is "converted" from a cookie into LocalStorage, I'm not really
 sure what are we gaining with this change in reality?

 - youtube.com and youtube-nocookie.com store the same items in
 localStorage
 - youtube.com ''also'' stores cookies explicitly meant for tracking

 There is no conversion, youtube-nocookie simply stores less information.

 ----

 Note that localStorage is less potent than cookies when it comes to
 tracking, because localStorage data is not sent back automatically with
 each request. It has to be retrieved using JavaScript and may not even be
 sent to the server at all. Case in point:

 > a Policy content was added also in TwentyTwentyOne theme as well due to
 Dark Mode that is using LocalStorage. See
 https://github.com/WordPress/twentytwentyone/blob/trunk/classes/class-
 twenty-twenty-one-dark-mode.php#L408

 It says "No data is saved in the database or transferred". This shows why
 localStorage is more privacy-friendly than cookies. If the dark mode
 setting was saved as a cookie, the server would be made aware of it on
 each request. With localStorage, the setting is stored in the browser and
 the server doesn't learn about it.

 ----

 Google says:

 > When you turn on privacy-enhanced mode, YouTube won't store information
 about visitors on your website unless they play the video.

 Even after pressing play, this activity is not associated with your YT
 profile:

 > Privacy-enhanced mode allows you to embed YouTube videos without using
 cookies that track viewing behavior. This means that no activity is
 collected to personalize the viewing experience. Instead, video
 recommendations are contextual and related to the current video. Videos
 playing in privacy-enhanced mode won't influence the viewer's browsing
 experience on YouTube.

 Also note that some methods of tracking protection (like Firefox's level 2
 tracking block list) completely block regular YouTube iframes (for good
 reason). Default YouTube embeds don't appear at all for people who use
 such tracking protection. Youtube-nocookie fixes that.

 So we are gaining quite a bit.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44610#comment:36>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform