WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 43 hours ago

#44610 assigned enhancement

Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

Reported by: jepperask Owned by: williampatton
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.7
Component: Embeds Keywords: needs-testing has-patch needs-dev-note
Focuses: privacy Cc:

Description

The file "wp-includes/class-wp-customize-manager.php" includes a function "_validate_external_header_video( $validity, $value )". The regex used in this function is incomplete, as some urls are invalidated in the customizer. What is interesting is that the regex used in "wp-includes/js/wp-custom-header.js" (which actually sets the youtube video), is different and validates e.g the youtube-nocookie.com URLs, that I think more people will need due to GDPR.

In the javascript file, it actually quotes a stackoverflow regex found at: http://stackoverflow.com/a/27728417

Proposal:

Update the regex in "wp-includes/class-wp-customize-manager.php" (line 5664) to match the one used in "wp-includes/js/wp-custom-header.js" (line 379).

Change History (55)

#1 @jepperask
3 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#2 @jepperask
3 years ago

Closed as it seems the JS-file needs more work, even if the URL is validated with e.g a youtube-nocookie.com URL.

#3 @netweb
3 years ago

  • Milestone Awaiting Review deleted

#4 @jepperask
3 years ago

  • Keywords needs-testing 2nd-opinion needs-unit-tests added
  • Resolution invalid deleted
  • Status changed from closed to reopened

I've done some more digging and made it show the no-cookie version, however autoplay does not seem consistant.
I'm new to this part of Wordpress - can i submit a pull-request for review and input from others somewhere?

My changes are simply updating the regex (PHP) and adding an argument to the YT.Player initialization (JS). Resolving the 'host' argument is a bit clumsy, so I'd appreciate if someone would take over.

Otherwise here comes a description of my changes:
wp-includes/class-wp-customize-manager.php:5664 - change function to:

public function _validate_external_header_video( $validity, $value ) {
        $video = esc_url_raw( $value );
        if ( $video ) {
                if ( ! preg_match( '#^https?://(?:www\.)?(youtube|youtube-nocookie)\.com/(watch|embed|youtu\.be/)#', $video ) ) {
                        $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) );
                }
        }
        return $validity;
}

wp-includes/theme.php:1402 - change line to:

if ( preg_match( '#^https?://(?:www\.)?(youtube|youtube-nocookie)\.com/(watch|embed|youtu\.be/)#', $video_url ) ) {

wp-includes/js/wp-custom-header.js:394 - add "host" argument to YT.Player settings dictionary:

host: location.protocol + this.settings.videoUrl.indexOf("youtube-nocookie") !== -1 ? "//www.youtube-nocookie.com" : "//www.youtube.com",

Also I should note that my original ticket description is a bit off. The JS-regex does not validate anything, it simply retrieves the ID of the Youtube URL.

Last edited 3 years ago by jepperask (previous) (diff)

#5 @jepperask
3 years ago

  • Summary changed from Update regex used for YouTube videos in class-wp-customize-manager.php::_validate_external_header_video() to Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

#6 @jepperask
3 years ago

  • Keywords has-patch added

#7 @birgire
3 years ago

  • Focuses privacy added

Welcome to WordPress Core Trac @jepperask

The scope of the ticket seems to be the YouTube url in the Header Media of the Customizer.

Here's some info on YouTube's Privacy Enhanced Mode:

Privacy Enhanced Mode allows you to embed YouTube videos without using cookies to track viewing
behavior. This means viewing activity isn’t collected to personalize the viewing experience. Instead,
video recommendations are contextual and related to the currently played video. Videos playing in a
Privacy Enhanced Mode embedded player won’t influence the viewer's browsing experience on YouTube.

(The Privacy Enhanced Mode only relates to tracking of viewer behavior, not ads-serving behavior.
To disable tracking for advertising purposes, you can add yourself to the Tag for Child-Directed
Treatment page.)

Note:

If the viewer clicks or taps out of the embed and is redirected to another website or app, 
that website or app may track the viewer’s behavior as per that website’s or app’s policies and terms.
Privacy Enhanced Mode is currently available only for embedded players on websites. Developers will
have to wrap the Privacy Enhanced Mode player into a web-view instance in order to use it in apps.
To use Privacy Enhanced Mode, change the domain for the embed URL in your HTML from 
https://www.youtube.com to https://www.youtube-nocookie.com as shown in the following example:

Before
<iframe width="1440" height="762" 
src="https://www.youtube.com/embed/7cjVj1ZyzyE"
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

After
<iframe width="1440" height="762" src="https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE"
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

Since this is a different domain, network administrators also need to add the domain 
youtube-nocookie.com to their firewall whitelist in addition to youtube.com.


https://support.google.com/youtube/answer/171780?hl=en

---

This seems to be the supported format:

https://www.youtube-nocookie.com/embed/{ID}

I tested various versions (with browser and curl) that did not work:

---

If supporting the Privacy Enhanced Mode is the way to go, should the:

https://www.youtube-nocookie.com/embed/{ID}

be the only supported format for the youtube-nocookie.com urls ?

#8 @birgire
3 years ago

ps: we could also note that it's currently not supported to embed

https://www.youtube-nocookie.com/embed/{ID}

e.g. in the post content and in the Video widget, while

https://www.youtube.com/embed/{ID}

is supported.

#9 @jepperask
3 years ago

Thank you for the feedback. It appears I was missing some parentheses in the javascript code:

host: location.protocol + ((this.settings.videoUrl.indexOf("youtube-nocookie") !== -1) ? "//www.youtube-nocookie.com" : "//www.youtube.com"),

Using my changes to the code, I succesfully got it to play the following URLs (TwentySeventeen setting the Header Media on a fresh install):
http://youtube-nocookie.com/embed/sRrqF8eXs38
http://www.youtube-nocookie.com/embed/sRrqF8eXs38
https://www.youtube-nocookie.com/embed/sRrqF8eXs38
https://www.youtube-nocookie.com/watch/?v=sRrqF8eXs38

I'll test more if needed. If you inspect the JS-file, you will find that the Regex is extracting the video-ID, and regardless of what the original URL was, it will appropriately set the URL to:

(http|https)://(youtube|youtube-nocookie).com/embed/{ID}

Schema is set to location.protocol, as I was unable to set the host argument with https when called from my localhost (http).

Last edited 3 years ago by jepperask (previous) (diff)

@jepperask
3 years ago

#10 @jepperask
3 years ago

The embedded HTML in posts appears to origin from https://www.youtube.com/oembed. Regardless of whether it is a youtube.com or youtube-nocookie.com URL we're trying to embed, the returned HTML is an iframe with src set to a youtube.com URL.

Unless we can find information on how to query youtube-oembed for a youtube-nocookie.com URL as src in the iframe, I believe our only choice is to string-replace the src. I have succesfully embedded a youtube-nocookie.com video this way, without any cookies being set.

@jepperask
3 years ago

#11 @swissspidy
2 years ago

  • Component changed from Customize to Embeds
  • Keywords needs-patch added; 2nd-opinion needs-unit-tests has-patch removed
  • Milestone set to 5.1

#12 @pento
2 years ago

  • Milestone changed from 5.1 to Future Release

This needs testing and a decision.

This ticket was mentioned in Slack in #core by jeroenrotty. View the logs.


2 years ago

#14 follow-up: @williampatton
19 months ago

  • Keywords has-patch added; needs-patch removed
  • Owner set to williampatton
  • Status changed from reopened to assigned

I'm gonna pick this one up as I'd like to see some movement on it. I'll do some testing on the patch when I am able.

@jepperask thank you for providing the initial patches for this approach. On a scan it seems like an ok way to handle it, do we need those changes to the packages.lock file though to make this happen?

#15 @ChriCo
17 months ago

What's the state of this Issue? No movement in 7 weeks now. :)

#16 in reply to: ↑ 14 @jepperask
17 months ago

Replying to williampatton:

I'm gonna pick this one up as I'd like to see some movement on it. I'll do some testing on the patch when I am able.

@jepperask thank you for providing the initial patches for this approach. On a scan it seems like an ok way to handle it, do we need those changes to the packages.lock file though to make this happen?

No, feel free to change/remove anything. :-P

#17 @TimothyBlynJacobs
13 months ago

#49800 was marked as a duplicate.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.


13 months ago

#19 @paapst
13 months ago

Not sure that the YouTube-Nocookie solution actually helps with GDPR compliance. I know that @rogierlankhorst has written an article about it a while ago : https://complianz.io/youtube-and-the-gdpr-how-to-embed-youtube-on-your-site/ The user apparently still gets YouTube cookies as soon as they hit the play button.

#20 follow-up: @RogierLankhorst
13 months ago

@paapst is correct: the no-cookie solution is called the "delayed cookie option" by Google, it's not a "no cookie" solution. Because the user does not explicitly consent to cookies when the video is started, this is not GDPR compliant.

#21 @utrenkner
12 months ago

@paapst and @RogierLankhorst Even though it is not GDPR compliant, it is a much better solution in terms of privacy. When users just open the webpage with the embedded video, no YouTube cookies are set. Only when click to play, are YouTube-cookies set.

I would love to see this in WordPress. I recommended the nocookie-URL to a client of mine, but was surprised that WordPress did not yet support the embedding of the nocookie-URL. I tried fixing this, myself, before I found out how many files need changes. And before I found this ticket...

Would be happy to test a patch!

#22 in reply to: ↑ 20 ; follow-up: @BjornW
8 months ago

Replying to RogierLankhorst:

@paapst is correct: the no-cookie solution is called the "delayed cookie option" by Google, it's not a "no cookie" solution. Because the user does not explicitly consent to cookies when the video is started, this is not GDPR compliant.

I've been testing youtube-nocookie using Firefox in Incognito mode (see the attached screenshots). So far it did not add cookies.

However it did add data to local storage (screenshot) and to session storage (screenshot) before playing the movie.

After pressing play on the movie it added more data to local storage (screenshot). It did not data to other storage as far as Firefox devtools tells me.

Is local storage considered a cookie by (GDPR or any related) law? Technically there are differences between them, but in practice I'd consider them more or less the same.

Based on my results I have a few questions:

  • youtube-nocookie does not add cookies (yet it does use local storage), should this be used by default instead of youtube with cookies?
  • Is local storage considered a cookie by (GDPR or any related) law?
  • What is Google storing in local storage data?
  • Should we consider the data stored in local storage as potentially privacy invasive (and is this relevant for WordPress Core)?
  • Does WordPress adhere to GDPR (and any related) laws with the current Youtube embed solution or not?
Last edited 8 months ago by BjornW (previous) (diff)

This ticket was mentioned in PR #630 on WordPress/wordpress-develop by adakaleh.


7 months ago

Modify YouTube's oEmbed response to use youtube-nocookie.com instead of youtube.com in the iframe's src. This enhances visitors' privacy.

Trac ticket: https://core.trac.wordpress.org/ticket/44610.

Props jepperask, birgire, BjornW.

#24 in reply to: ↑ 22 @adakaleh
7 months ago

Replying to BjornW:

  • What is Google storing in local storage data?

What sticks out to me is yt-remote-device-id. It is stored before pressing play and contains a UUID which expires after one year. It looks similar to a tracking cookie, but it doesn't get sent back automatically with each request. Instead it has to be retrieved using JavaScript. I presume it's only sent to Google when the video is played.

Even so, using youtube-nocookie is a significant win for privacy. Google claims:

When you turn on privacy-enhanced mode, YouTube won't store information about visitors on your website unless they play the video.

WordPress is very widely used, so having this on by default would make a big difference.

If YouTube's oEmbed endpoint would support the dnt (Do Not Track) parameter (see https://core.trac.wordpress.org/changeset/41345), youtube-nocookie would already be the default in WordPress. But, since YouTube ignores DNT, we need to add some code to modify YouTube's oEmbed response. I just created a pull request for this, please check if it's ok: https://github.com/WordPress/wordpress-develop/pull/630. I tested it locally, it works well for me.

#25 @garrett-eclipse
7 months ago

  • Milestone changed from Future Release to 5.7

Thanks @adakaleh that's awesome, the PR looks good. Made one minor comment about sentence case in comments. Let's see if we can get some eyes on this and land it in 5.7.

#26 @BjornW
7 months ago

@adakaleh I agree, having WordPress use the DNT version is indeed a great step forward privacy-wise. Although I'm still having my doubts about Google and their claims. I've looked at your PR, nice and clean :) I hope a core-committer will merge this as soon as possible. Thanks!

#27 @adakaleh
7 months ago

Thanks! I amended the comment.

#28 @garrett-eclipse
7 months ago

Thanks @adakaleh appreciate the refresh there. Going to leave in testing for a bit to get eyes on it but feel this is looking great and barring anything uncovered feel it's good to go.

This ticket was mentioned in Slack in #core by lukecarbis. View the logs.


4 months ago

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


4 months ago

#31 follow-up: @hellofromTonya
4 months ago

Please provide need more information to help testers manually test the patch (including at Test Scrubs):

  • What are the steps to test?
  • Are there any testing dependencies, such as a plugin or script?
  • What is the expected behavior after applying the patch?

Let us know too if there's any specific test data everyone should be providing from their tests, such as screenshots, results, etc.

#32 @hellofromTonya
4 months ago

  • Keywords needs-testing-info added

#33 in reply to: ↑ 31 ; follow-up: @adakaleh
4 months ago

It's pretty straightforward:

  1. Apply the patch from https://github.com/WordPress/wordpress-develop/pull/630
  2. Create a new post.
  3. Paste in a YouTube video URL. Ex: https://www.youtube.com/watch?v=90WD_ats6eE
  4. Open the HTML inspector and search "https://www.youtube-nocookie.com/". You should see that the newly added iframe's "src" attribute starts with "https://www.youtube-nocookie.com/". Ex: https://www.youtube-nocookie.com/embed/90WD_ats6eE?feature=oembed

If it doesn't work like I described above, let me know.

#34 follow-up: @xkon
4 months ago

Thanks for the work here @adakaleh and all the valuable comments from everyone else!

To answer @BjornW in short, yes LocalStorage is to be considered an equal of a Cookie and should be communicated with the user. The directives basically apply into any "tracking" it's not just "cookies", that's a misconception since a cookie is the most common way. So even though technically a different approach, practically it's just about the same.

This is also why a Policy content was added also in TwentyTwentyOne theme as well due to Dark Mode that is using LocalStorage. See https://github.com/WordPress/twentytwentyone/blob/trunk/classes/class-twenty-twenty-one-dark-mode.php#L408 (I'll cc @aristath here also in case he has to add anything) .

That being said, if by according to the tests by @BjornW using the youtube-nocookie URL everything is "converted" from a cookie into LocalStorage, I'm not really sure what are we gaining with this change in reality?

I'm not saying no to the change, I'm just trying to understand what would the actual difference be :).

#35 @hellofromTonya
4 months ago

  • Keywords needs-testing-info removed

#36 in reply to: ↑ 34 @adakaleh
4 months ago

Replying to xkon:

if by according to the tests by @BjornW using the youtube-nocookie URL everything is "converted" from a cookie into LocalStorage, I'm not really sure what are we gaining with this change in reality?

  • youtube.com and youtube-nocookie.com store the same items in localStorage
  • youtube.com also stores cookies explicitly meant for tracking

There is no conversion, youtube-nocookie simply stores less information.


Note that localStorage is less potent than cookies when it comes to tracking, because localStorage data is not sent back automatically with each request. It has to be retrieved using JavaScript and may not even be sent to the server at all. Case in point:

a Policy content was added also in TwentyTwentyOne theme as well due to Dark Mode that is using LocalStorage. See https://github.com/WordPress/twentytwentyone/blob/trunk/classes/class-twenty-twenty-one-dark-mode.php#L408

It says "No data is saved in the database or transferred". This shows why localStorage is more privacy-friendly than cookies. If the dark mode setting was saved as a cookie, the server would be made aware of it on each request. With localStorage, the setting is stored in the browser and the server doesn't learn about it.


Google says:

When you turn on privacy-enhanced mode, YouTube won't store information about visitors on your website unless they play the video.

Even after pressing play, this activity is not associated with your YT profile:

Privacy-enhanced mode allows you to embed YouTube videos without using cookies that track viewing behavior. This means that no activity is collected to personalize the viewing experience. Instead, video recommendations are contextual and related to the current video. Videos playing in privacy-enhanced mode won't influence the viewer's browsing experience on YouTube.

Also note that some methods of tracking protection (like Firefox's level 2 tracking block list) completely block regular YouTube iframes (for good reason). Default YouTube embeds don't appear at all for people who use such tracking protection. Youtube-nocookie fixes that.

So we are gaining quite a bit.

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


3 months ago

#38 in reply to: ↑ 33 @francina
3 months ago

Tested following steps in comment 33. It works as expected.

#39 follow-up: @johnbillion
3 months ago

To clarify, the intention of this change is to switch the domain name for all YouTube embeds from youtube.com to youtube-nocookie.com. The result is that no cookies are set by YouTube until the visitor interacts with the video, for example by playing it.

Some questions:

  • Does this have any side effects for the player? For example, are there preferences I can set on YouTube that carry over to embedded videos that will no longer be respected?
  • Do controls such as "watch later" still work as expected?
  • Does this affect the video analytics in any way? For example, the Vimeo embed in core is currently a problem for content producers on Vimeo because all analytics are disabled due to the dnt parameter (see #46986). Could a similar thing affect YouTube videos embedded using this different domain name?
  • This will cause breakage for sites that use a content security policy that allows youtube.com but aren't aware of youtube-nocookie.com.
  • What else might break with a change of domain name here?

#40 @johnbillion
3 months ago

  • Keywords needs-dev-note added

#41 in reply to: ↑ 39 @adakaleh
3 months ago

Replying to johnbillion:

To clarify, the intention of this change is to switch the domain name for all YouTube embeds from youtube.com to youtube-nocookie.com.

The intention is to change the default. Users can still embed youtube.com iframes by editing the page's code - as they must do now in order to use youtube-nocookie.com.

The result is that no cookies are set by YouTube until the visitor interacts with the video, for example by playing it.

No cookies are set even after playing it.

Does this have any side effects for the player? For example, are there preferences I can set on YouTube that carry over to embedded videos that will no longer be respected?

Yes, that's kind of the point: there are no identifiers to associate the embed with your YT account, therefore it can't load any preferences from your YT account. The video won't appear in your account's history either.

To compare youtube and youtube-nocookie embeds, just open (for example) these links:
https://www.youtube.com/embed/LxLECbf0nOA
https://www.youtube-nocookie.com/embed/LxLECbf0nOA

Do controls such as "watch later" still work as expected?

"Watch later" and "Share" are replaced by "Copy link". "Watch later" is not available because the embed is not connected to your Google/YT account.

Does this affect the video analytics in any way?

I suspect not, because youtube-nocookie sends a telemetry request to https://www.youtube-nocookie.com/api/stats/ with a bunch of information, such as details about the browser.

Even if it does affect analytics, so far this hasn't caused WordPress to exempt Vimeo from DoNotTrack. For consistency, this shouldn't exempt YouTube either.

This will cause breakage for sites that use a content security policy that allows youtube.com but aren't aware of youtube-nocookie.com.

True. The release announcement should instruct site owners on how to adjust the CSP.

What else might break with a change of domain name here?

Nothing else comes to mind. Feature-Policy is not affected, as youtube iframes have their own.

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


3 months ago

#43 @TimothyBlynJacobs
3 months ago

Is there a friendly way for an end user to get the no cookies embed URL instead of the regular embed URL? I'm not sure if this should change all YouTube embeds to use the no cookie version as there is a loss of functionality. Another one not mentioned, is I believe this also in-effect kills ad-free viewing if you have a YouTube Premium account.

#44 follow-up: @johnbillion
3 months ago

  • Milestone changed from 5.7 to Future Release

Agreed, I was under the impression this would be an optional way to embed (eg. by pasting a youtube-nocookie URL) rather than replacing the default embed. This is why I was asking about the functional changes to the player.

As much as I dislike being tracked around the internet, not being able to add a video to my Watch Later list is more of an annoyance.

I think we need to re-assess this change. I anticipate a large number of complaints in the forums if the default embed endpoint changes.

#45 @xkon
3 months ago

If the idea is to change everything into a youtube-nocookie by default and changing back to youtube needs manual edits or extra steps, I'm not comfortable with that even as a privacy maintainer as forcing things isn't the way to go in these cases imho.

It's up to the site owners (or editors etc) to select if they want youtube vs youtube-nocookie and then a different discussion starts, but practically it's their choice and we have to respect that.

Optimally there should be an option for example when youtube urls are identified with maybe a UI (simple input option) asking if they want to convert it to a youtube-nocookie. Or simply offer an extra youtube-nocookie embed. We can't force it though in my opinion.

The 'default' choice of users, whether we like it or not still is youtube.com I guess, so that should stay as the default behavior also.

Just my 2c.

Last edited 3 months ago by xkon (previous) (diff)

#46 in reply to: ↑ 44 ; follow-up: @adakaleh
3 months ago

Replying to xkon:

forcing things isn't the way to go

At the moment WordPress "forces" youtube.com embeds. There is no way around it: Wordpress must have a default. Wordpress currently defaults to surveillance.

Replying to johnbillion:

As much as I dislike being tracked around the internet, not being able to add a video to my Watch Later list is more of an annoyance.

Seriously? You can bookmark the link and... watch it later.

The extent to which we've been conditioned to undervalue our privacy never ceases to amaze me. This is why we're sliding into dystopia.

I agree that there are a few problems with changing the default:

  • the CSP issue
  • some people will complain about slight loss in functionality

Companies that want to track people are always going to make it hard for us to choose privacy. We have a duty to push back and reverse this: the least private option should be the hardest to choose.

Replying to xkon:

The 'default' choice of users, whether we like it or not still is youtube.com

That is Google's choice. Most users go along with the default without understanding what it entails. It's the resposiblity of developers like us to choose an ethical default.

Alas, we have a disagreement about the value of privacy. In that case...

Replying to johnbillion:

I was under the impression this would be an optional way to embed (eg. by pasting a youtube-nocookie URL)

I'll prepare a pull request to do just that. It will be an adaptation of @jepperask's code.

Replying to xkon:

Optimally there should be an option for example when youtube urls are identified with maybe a UI (simple input option) asking if they want to convert it to a youtube-nocookie. Or simply offer an extra youtube-nocookie embed.

Indeed, something like this would be better, but I'm not familiar enough with WordPress's codebase to implement it. Would be great if someone did.

#47 in reply to: ↑ 46 @jottevanger
43 hours ago

100% with adakaleh on this. The default must be privacy: it's the ethical thing to do, consistent with WordPress' philosophy, but it is also a legal requirement of GDPR that we offer users informed consent prior to setting any privacy-relevant cookies (or other technologies). And this is not really a question of "I as a user think this may be inconvenient". It's one of "I as a site owner need to ensure my site is legal". Currently site owners are being obliged to either force third party cookies on users or depend on authors to use alternative, long-winded means of embedding YT videos.

The embedded video really must default to the "no-cookies" version, in the absence of either (a) some sort of hook to allow the integration of cookie consent solutions into how any built-in embeds are rendered; or (b) a UI for site owners or perhaps authors to manage how all or individual videos are rendered. Personally I think that (b) is the way to go: a site-level setting for admins to make the decision on what the default is, although to remain on the right side of the law they would be unwise not to make this the private version.

I understand the concerns, of course, but they may be overstated. As far as user experience goes, you can still add a video to "Watch later" or save it to faves: simply click the title to see the video on YouTube, at which point you'll be logged in (if you're logged in) and can do all the usual operations. Likewise with ad-free viewing for YouTube Premium users: just click through to see the video as a logged-in user.

The observations from @BjornW, @adakaleh and @xkon about cookies and local storage are really useful. I've done a bit more digging and would observe also:

  • www.youtube-nocookie.com does set a cookie, but only an essential one concerning consent status
  • the local storage entry "yt-remote-device-id" that @adakaleh noted does not appear to be sent with any requests to Google/YT. I've looked in the post data and request headers to both and can't find anything that seems to correspond to this, or is persistent across videos and page loads.
  • there is one header named "X-Goog-Visitor-Id", something like "CgthWHRxa2hqbENJSSiBk8SEBg%3D%3D", which is sent to youtube-nocookies.com e.g. when logging events (play data); at first glance looks like it will be a persistent identifier for the user, but it is different for each video and for each load of the same video.

So overall I'm happy that the "no-cookies" version of YouTube probably respects the spirit of privacy (and the law) as it claims. But we really need the work that has been going on here for three years to come to a conclusion and get into core, so site owners and platform hosts can do the right thing by their users and get legal!

Note: See TracTickets for help on using tickets.