[wp-trac] [WordPress Trac] #44610: Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.
WordPress Trac
noreply at wordpress.org
Tue May 4 10:53:11 UTC 2021
#44610: Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting
cookies.
-------------------------------------------------+-------------------------
Reporter: jepperask | Owner:
| williampatton
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future
| Release
Component: Embeds | Version: 4.9.7
Severity: normal | Resolution:
Keywords: needs-testing has-patch needs-dev- | Focuses: privacy
note |
-------------------------------------------------+-------------------------
Comment (by jottevanger):
100% with [comment:46 adakaleh] on this. The default must be privacy: it's
the ethical thing to do, consistent with WordPress' philosophy, but it is
also a legal requirement of GDPR that we offer users informed consent
prior to setting any privacy-relevant cookies (or other technologies). And
this is not really a question of "I as a user think this may be
inconvenient". It's one of "I as a site owner need to ensure my site is
legal". Currently site owners are being obliged to either force third
party cookies on users or depend on authors to use alternative, long-
winded means of embedding YT videos.
The embedded video really must default to the "no-cookies" version, in the
absence of either (a) some sort of hook to allow the integration of cookie
consent solutions into how any built-in embeds are rendered; or (b) a UI
for site owners or perhaps authors to manage how all or individual videos
are rendered. Personally I think that (b) is the way to go: a site-level
setting for admins to make the decision on what the default is, although
to remain on the right side of the law they would be unwise not to make
this the private version.
I understand the concerns, of course, but they may be overstated. As far
as user experience goes, you can still add a video to "Watch later" or
save it to faves: simply click the title to see the video on YouTube, at
which point you'll be logged in (if you're logged in) and can do all the
usual operations. Likewise with ad-free viewing for YouTube Premium users:
just click through to see the video as a logged-in user.
The observations from @BjornW, @adakaleh and @xkon about cookies and local
storage are really useful. I've done a bit more digging and would observe
also:
- www.youtube-nocookie.com does set a cookie, but only an essential one
concerning consent status
- the local storage entry "yt-remote-device-id" that @adakaleh noted does
not appear to be sent with any requests to Google/YT. I've looked in the
post data and request headers to both and can't find anything that seems
to correspond to this, or is persistent across videos and page loads.
- there is one header named "X-Goog-Visitor-Id", something like
"CgthWHRxa2hqbENJSSiBk8SEBg%3D%3D", which is sent to youtube-nocookies.com
e.g. when logging events (play data); at first glance looks like it will
be a persistent identifier for the user, but it is different for each
video and for each load of the same video.
So overall I'm happy that the "no-cookies" version of YouTube probably
respects the spirit of privacy (and the law) as it claims. But we really
need the work that has been going on here for ''three years'' to come to a
conclusion and get into core, so site owners and platform hosts can do the
right thing by their users and get legal!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44610#comment:47>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list