Make WordPress Core

Opened 6 years ago

Last modified 3 months ago

#44610 assigned enhancement

Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

Reported by: jepperask's profile jepperask Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.7
Component: Embeds Keywords: needs-testing has-patch
Focuses: privacy Cc:

Description

The file "wp-includes/class-wp-customize-manager.php" includes a function "_validate_external_header_video( $validity, $value )". The regex used in this function is incomplete, as some urls are invalidated in the customizer. What is interesting is that the regex used in "wp-includes/js/wp-custom-header.js" (which actually sets the youtube video), is different and validates e.g the youtube-nocookie.com URLs, that I think more people will need due to GDPR.

In the javascript file, it actually quotes a stackoverflow regex found at: http://stackoverflow.com/a/27728417

Proposal:

Update the regex in "wp-includes/class-wp-customize-manager.php" (line 5664) to match the one used in "wp-includes/js/wp-custom-header.js" (line 379).

Change History (80)

#1 @jepperask
6 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#2 @jepperask
6 years ago

Closed as it seems the JS-file needs more work, even if the URL is validated with e.g a youtube-nocookie.com URL.

#3 @netweb
6 years ago

  • Milestone Awaiting Review deleted

#4 @jepperask
6 years ago

  • Keywords needs-testing 2nd-opinion needs-unit-tests added
  • Resolution invalid deleted
  • Status changed from closed to reopened

I've done some more digging and made it show the no-cookie version, however autoplay does not seem consistant.
I'm new to this part of Wordpress - can i submit a pull-request for review and input from others somewhere?

My changes are simply updating the regex (PHP) and adding an argument to the YT.Player initialization (JS). Resolving the 'host' argument is a bit clumsy, so I'd appreciate if someone would take over.

Otherwise here comes a description of my changes:
wp-includes/class-wp-customize-manager.php:5664 - change function to:

public function _validate_external_header_video( $validity, $value ) {
        $video = esc_url_raw( $value );
        if ( $video ) {
                if ( ! preg_match( '#^https?://(?:www\.)?(youtube|youtube-nocookie)\.com/(watch|embed|youtu\.be/)#', $video ) ) {
                        $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) );
                }
        }
        return $validity;
}

wp-includes/theme.php:1402 - change line to:

if ( preg_match( '#^https?://(?:www\.)?(youtube|youtube-nocookie)\.com/(watch|embed|youtu\.be/)#', $video_url ) ) {

wp-includes/js/wp-custom-header.js:394 - add "host" argument to YT.Player settings dictionary:

host: location.protocol + this.settings.videoUrl.indexOf("youtube-nocookie") !== -1 ? "//www.youtube-nocookie.com" : "//www.youtube.com",

Also I should note that my original ticket description is a bit off. The JS-regex does not validate anything, it simply retrieves the ID of the Youtube URL.

Last edited 6 years ago by jepperask (previous) (diff)

#5 @jepperask
6 years ago

  • Summary changed from Update regex used for YouTube videos in class-wp-customize-manager.php::_validate_external_header_video() to Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

#6 @jepperask
6 years ago

  • Keywords has-patch added

#7 @birgire
6 years ago

  • Focuses privacy added

Welcome to WordPress Core Trac @jepperask

The scope of the ticket seems to be the YouTube url in the Header Media of the Customizer.

Here's some info on YouTube's Privacy Enhanced Mode:

Privacy Enhanced Mode allows you to embed YouTube videos without using cookies to track viewing
behavior. This means viewing activity isn’t collected to personalize the viewing experience. Instead,
video recommendations are contextual and related to the currently played video. Videos playing in a
Privacy Enhanced Mode embedded player won’t influence the viewer's browsing experience on YouTube.

(The Privacy Enhanced Mode only relates to tracking of viewer behavior, not ads-serving behavior.
To disable tracking for advertising purposes, you can add yourself to the Tag for Child-Directed
Treatment page.)

Note:

If the viewer clicks or taps out of the embed and is redirected to another website or app, 
that website or app may track the viewer’s behavior as per that website’s or app’s policies and terms.
Privacy Enhanced Mode is currently available only for embedded players on websites. Developers will
have to wrap the Privacy Enhanced Mode player into a web-view instance in order to use it in apps.
To use Privacy Enhanced Mode, change the domain for the embed URL in your HTML from 
https://www.youtube.com to https://www.youtube-nocookie.com as shown in the following example:

Before
<iframe width="1440" height="762" 
src="https://www.youtube.com/embed/7cjVj1ZyzyE"
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

After
<iframe width="1440" height="762" src="https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE"
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

Since this is a different domain, network administrators also need to add the domain 
youtube-nocookie.com to their firewall whitelist in addition to youtube.com.


https://support.google.com/youtube/answer/171780?hl=en

---

This seems to be the supported format:

https://www.youtube-nocookie.com/embed/{ID}

I tested various versions (with browser and curl) that did not work:

---

If supporting the Privacy Enhanced Mode is the way to go, should the:

https://www.youtube-nocookie.com/embed/{ID}

be the only supported format for the youtube-nocookie.com urls ?

#8 @birgire
6 years ago

ps: we could also note that it's currently not supported to embed

https://www.youtube-nocookie.com/embed/{ID}

e.g. in the post content and in the Video widget, while

https://www.youtube.com/embed/{ID}

is supported.

#9 @jepperask
6 years ago

Thank you for the feedback. It appears I was missing some parentheses in the javascript code:

host: location.protocol + ((this.settings.videoUrl.indexOf("youtube-nocookie") !== -1) ? "//www.youtube-nocookie.com" : "//www.youtube.com"),

Using my changes to the code, I succesfully got it to play the following URLs (TwentySeventeen setting the Header Media on a fresh install):
http://youtube-nocookie.com/embed/sRrqF8eXs38
http://www.youtube-nocookie.com/embed/sRrqF8eXs38
https://www.youtube-nocookie.com/embed/sRrqF8eXs38
https://www.youtube-nocookie.com/watch/?v=sRrqF8eXs38

I'll test more if needed. If you inspect the JS-file, you will find that the Regex is extracting the video-ID, and regardless of what the original URL was, it will appropriately set the URL to:

(http|https)://(youtube|youtube-nocookie).com/embed/{ID}

Schema is set to location.protocol, as I was unable to set the host argument with https when called from my localhost (http).

Last edited 6 years ago by jepperask (previous) (diff)

@jepperask
6 years ago

#10 @jepperask
6 years ago

The embedded HTML in posts appears to origin from https://www.youtube.com/oembed. Regardless of whether it is a youtube.com or youtube-nocookie.com URL we're trying to embed, the returned HTML is an iframe with src set to a youtube.com URL.

Unless we can find information on how to query youtube-oembed for a youtube-nocookie.com URL as src in the iframe, I believe our only choice is to string-replace the src. I have succesfully embedded a youtube-nocookie.com video this way, without any cookies being set.

@jepperask
6 years ago

#11 @swissspidy
6 years ago

  • Component changed from Customize to Embeds
  • Keywords needs-patch added; 2nd-opinion needs-unit-tests has-patch removed
  • Milestone set to 5.1

#12 @pento
6 years ago

  • Milestone changed from 5.1 to Future Release

This needs testing and a decision.

This ticket was mentioned in Slack in #core by jeroenrotty. View the logs.


6 years ago

#14 follow-up: @williampatton
5 years ago

  • Keywords has-patch added; needs-patch removed
  • Owner set to williampatton
  • Status changed from reopened to assigned

I'm gonna pick this one up as I'd like to see some movement on it. I'll do some testing on the patch when I am able.

@jepperask thank you for providing the initial patches for this approach. On a scan it seems like an ok way to handle it, do we need those changes to the packages.lock file though to make this happen?

#15 @ChriCo
5 years ago

What's the state of this Issue? No movement in 7 weeks now. :)

#16 in reply to: ↑ 14 @jepperask
5 years ago

Replying to williampatton:

I'm gonna pick this one up as I'd like to see some movement on it. I'll do some testing on the patch when I am able.

@jepperask thank you for providing the initial patches for this approach. On a scan it seems like an ok way to handle it, do we need those changes to the packages.lock file though to make this happen?

No, feel free to change/remove anything. :-P

#17 @TimothyBlynJacobs
5 years ago

#49800 was marked as a duplicate.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.


5 years ago

#19 @paapst
5 years ago

Not sure that the YouTube-Nocookie solution actually helps with GDPR compliance. I know that @rogierlankhorst has written an article about it a while ago : https://complianz.io/youtube-and-the-gdpr-how-to-embed-youtube-on-your-site/ The user apparently still gets YouTube cookies as soon as they hit the play button.

#20 follow-up: @RogierLankhorst
5 years ago

@paapst is correct: the no-cookie solution is called the "delayed cookie option" by Google, it's not a "no cookie" solution. Because the user does not explicitly consent to cookies when the video is started, this is not GDPR compliant.

#21 @utrenkner
5 years ago

@paapst and @RogierLankhorst Even though it is not GDPR compliant, it is a much better solution in terms of privacy. When users just open the webpage with the embedded video, no YouTube cookies are set. Only when click to play, are YouTube-cookies set.

I would love to see this in WordPress. I recommended the nocookie-URL to a client of mine, but was surprised that WordPress did not yet support the embedding of the nocookie-URL. I tried fixing this, myself, before I found out how many files need changes. And before I found this ticket...

Would be happy to test a patch!

#22 in reply to: ↑ 20 ; follow-up: @BjornW
4 years ago

Replying to RogierLankhorst:

@paapst is correct: the no-cookie solution is called the "delayed cookie option" by Google, it's not a "no cookie" solution. Because the user does not explicitly consent to cookies when the video is started, this is not GDPR compliant.

I've been testing youtube-nocookie using Firefox in Incognito mode (see the attached screenshots). So far it did not add cookies.

However it did add data to local storage (screenshot) and to session storage (screenshot) before playing the movie.

After pressing play on the movie it added more data to local storage (screenshot). It did not data to other storage as far as Firefox devtools tells me.

Is local storage considered a cookie by (GDPR or any related) law? Technically there are differences between them, but in practice I'd consider them more or less the same.

Based on my results I have a few questions:

  • youtube-nocookie does not add cookies (yet it does use local storage), should this be used by default instead of youtube with cookies?
  • Is local storage considered a cookie by (GDPR or any related) law?
  • What is Google storing in local storage data?
  • Should we consider the data stored in local storage as potentially privacy invasive (and is this relevant for WordPress Core)?
  • Does WordPress adhere to GDPR (and any related) laws with the current Youtube embed solution or not?
Last edited 4 years ago by BjornW (previous) (diff)

This ticket was mentioned in PR #630 on WordPress/wordpress-develop by adakaleh.


4 years ago
#23

Modify YouTube's oEmbed response to use youtube-nocookie.com instead of youtube.com in the iframe's src. This enhances visitors' privacy.

Trac ticket: https://core.trac.wordpress.org/ticket/44610.

Props jepperask, birgire, BjornW.

#24 in reply to: ↑ 22 @adakaleh
4 years ago

Replying to BjornW:

  • What is Google storing in local storage data?

What sticks out to me is yt-remote-device-id. It is stored before pressing play and contains a UUID which expires after one year. It looks similar to a tracking cookie, but it doesn't get sent back automatically with each request. Instead it has to be retrieved using JavaScript. I presume it's only sent to Google when the video is played.

Even so, using youtube-nocookie is a significant win for privacy. Google claims:

When you turn on privacy-enhanced mode, YouTube won't store information about visitors on your website unless they play the video.

WordPress is very widely used, so having this on by default would make a big difference.

If YouTube's oEmbed endpoint would support the dnt (Do Not Track) parameter (see https://core.trac.wordpress.org/changeset/41345), youtube-nocookie would already be the default in WordPress. But, since YouTube ignores DNT, we need to add some code to modify YouTube's oEmbed response. I just created a pull request for this, please check if it's ok: https://github.com/WordPress/wordpress-develop/pull/630. I tested it locally, it works well for me.

#25 @garrett-eclipse
4 years ago

  • Milestone changed from Future Release to 5.7

Thanks @adakaleh that's awesome, the PR looks good. Made one minor comment about sentence case in comments. Let's see if we can get some eyes on this and land it in 5.7.

#26 @BjornW
4 years ago

@adakaleh I agree, having WordPress use the DNT version is indeed a great step forward privacy-wise. Although I'm still having my doubts about Google and their claims. I've looked at your PR, nice and clean :) I hope a core-committer will merge this as soon as possible. Thanks!

#27 @adakaleh
4 years ago

Thanks! I amended the comment.

#28 @garrett-eclipse
4 years ago

Thanks @adakaleh appreciate the refresh there. Going to leave in testing for a bit to get eyes on it but feel this is looking great and barring anything uncovered feel it's good to go.

This ticket was mentioned in Slack in #core by lukecarbis. View the logs.


4 years ago

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


4 years ago

#31 follow-up: @hellofromTonya
4 years ago

Please provide need more information to help testers manually test the patch (including at Test Scrubs):

  • What are the steps to test?
  • Are there any testing dependencies, such as a plugin or script?
  • What is the expected behavior after applying the patch?

Let us know too if there's any specific test data everyone should be providing from their tests, such as screenshots, results, etc.

#32 @hellofromTonya
4 years ago

  • Keywords needs-testing-info added

#33 in reply to: ↑ 31 ; follow-up: @adakaleh
4 years ago

It's pretty straightforward:

  1. Apply the patch from https://github.com/WordPress/wordpress-develop/pull/630
  2. Create a new post.
  3. Paste in a YouTube video URL. Ex: https://www.youtube.com/watch?v=90WD_ats6eE
  4. Open the HTML inspector and search "https://www.youtube-nocookie.com/". You should see that the newly added iframe's "src" attribute starts with "https://www.youtube-nocookie.com/". Ex: https://www.youtube-nocookie.com/embed/90WD_ats6eE?feature=oembed

If it doesn't work like I described above, let me know.

#34 follow-up: @xkon
4 years ago

Thanks for the work here @adakaleh and all the valuable comments from everyone else!

To answer @BjornW in short, yes LocalStorage is to be considered an equal of a Cookie and should be communicated with the user. The directives basically apply into any "tracking" it's not just "cookies", that's a misconception since a cookie is the most common way. So even though technically a different approach, practically it's just about the same.

This is also why a Policy content was added also in TwentyTwentyOne theme as well due to Dark Mode that is using LocalStorage. See https://github.com/WordPress/twentytwentyone/blob/trunk/classes/class-twenty-twenty-one-dark-mode.php#L408 (I'll cc @aristath here also in case he has to add anything) .

That being said, if by according to the tests by @BjornW using the youtube-nocookie URL everything is "converted" from a cookie into LocalStorage, I'm not really sure what are we gaining with this change in reality?

I'm not saying no to the change, I'm just trying to understand what would the actual difference be :).

#35 @hellofromTonya
4 years ago

  • Keywords needs-testing-info removed

#36 in reply to: ↑ 34 @adakaleh
4 years ago

Replying to xkon:

if by according to the tests by @BjornW using the youtube-nocookie URL everything is "converted" from a cookie into LocalStorage, I'm not really sure what are we gaining with this change in reality?

  • youtube.com and youtube-nocookie.com store the same items in localStorage
  • youtube.com also stores cookies explicitly meant for tracking

There is no conversion, youtube-nocookie simply stores less information.


Note that localStorage is less potent than cookies when it comes to tracking, because localStorage data is not sent back automatically with each request. It has to be retrieved using JavaScript and may not even be sent to the server at all. Case in point:

a Policy content was added also in TwentyTwentyOne theme as well due to Dark Mode that is using LocalStorage. See https://github.com/WordPress/twentytwentyone/blob/trunk/classes/class-twenty-twenty-one-dark-mode.php#L408

It says "No data is saved in the database or transferred". This shows why localStorage is more privacy-friendly than cookies. If the dark mode setting was saved as a cookie, the server would be made aware of it on each request. With localStorage, the setting is stored in the browser and the server doesn't learn about it.


Google says:

When you turn on privacy-enhanced mode, YouTube won't store information about visitors on your website unless they play the video.

Even after pressing play, this activity is not associated with your YT profile:

Privacy-enhanced mode allows you to embed YouTube videos without using cookies that track viewing behavior. This means that no activity is collected to personalize the viewing experience. Instead, video recommendations are contextual and related to the current video. Videos playing in privacy-enhanced mode won't influence the viewer's browsing experience on YouTube.

Also note that some methods of tracking protection (like Firefox's level 2 tracking block list) completely block regular YouTube iframes (for good reason). Default YouTube embeds don't appear at all for people who use such tracking protection. Youtube-nocookie fixes that.

So we are gaining quite a bit.

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


4 years ago

#38 in reply to: ↑ 33 @francina
4 years ago

Tested following steps in comment 33. It works as expected.

#39 follow-up: @johnbillion
4 years ago

To clarify, the intention of this change is to switch the domain name for all YouTube embeds from youtube.com to youtube-nocookie.com. The result is that no cookies are set by YouTube until the visitor interacts with the video, for example by playing it.

Some questions:

  • Does this have any side effects for the player? For example, are there preferences I can set on YouTube that carry over to embedded videos that will no longer be respected?
  • Do controls such as "watch later" still work as expected?
  • Does this affect the video analytics in any way? For example, the Vimeo embed in core is currently a problem for content producers on Vimeo because all analytics are disabled due to the dnt parameter (see #46986). Could a similar thing affect YouTube videos embedded using this different domain name?
  • This will cause breakage for sites that use a content security policy that allows youtube.com but aren't aware of youtube-nocookie.com.
  • What else might break with a change of domain name here?

#40 @johnbillion
4 years ago

  • Keywords needs-dev-note added

#41 in reply to: ↑ 39 @adakaleh
4 years ago

Replying to johnbillion:

To clarify, the intention of this change is to switch the domain name for all YouTube embeds from youtube.com to youtube-nocookie.com.

The intention is to change the default. Users can still embed youtube.com iframes by editing the page's code - as they must do now in order to use youtube-nocookie.com.

The result is that no cookies are set by YouTube until the visitor interacts with the video, for example by playing it.

No cookies are set even after playing it.

Does this have any side effects for the player? For example, are there preferences I can set on YouTube that carry over to embedded videos that will no longer be respected?

Yes, that's kind of the point: there are no identifiers to associate the embed with your YT account, therefore it can't load any preferences from your YT account. The video won't appear in your account's history either.

To compare youtube and youtube-nocookie embeds, just open (for example) these links:
https://www.youtube.com/embed/LxLECbf0nOA
https://www.youtube-nocookie.com/embed/LxLECbf0nOA

Do controls such as "watch later" still work as expected?

"Watch later" and "Share" are replaced by "Copy link". "Watch later" is not available because the embed is not connected to your Google/YT account.

Does this affect the video analytics in any way?

I suspect not, because youtube-nocookie sends a telemetry request to https://www.youtube-nocookie.com/api/stats/ with a bunch of information, such as details about the browser.

Even if it does affect analytics, so far this hasn't caused WordPress to exempt Vimeo from DoNotTrack. For consistency, this shouldn't exempt YouTube either.

This will cause breakage for sites that use a content security policy that allows youtube.com but aren't aware of youtube-nocookie.com.

True. The release announcement should instruct site owners on how to adjust the CSP.

What else might break with a change of domain name here?

Nothing else comes to mind. Feature-Policy is not affected, as youtube iframes have their own.

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


4 years ago

#43 @TimothyBlynJacobs
4 years ago

Is there a friendly way for an end user to get the no cookies embed URL instead of the regular embed URL? I'm not sure if this should change all YouTube embeds to use the no cookie version as there is a loss of functionality. Another one not mentioned, is I believe this also in-effect kills ad-free viewing if you have a YouTube Premium account.

#44 follow-up: @johnbillion
4 years ago

  • Milestone changed from 5.7 to Future Release

Agreed, I was under the impression this would be an optional way to embed (eg. by pasting a youtube-nocookie URL) rather than replacing the default embed. This is why I was asking about the functional changes to the player.

As much as I dislike being tracked around the internet, not being able to add a video to my Watch Later list is more of an annoyance.

I think we need to re-assess this change. I anticipate a large number of complaints in the forums if the default embed endpoint changes.

#45 @xkon
4 years ago

If the idea is to change everything into a youtube-nocookie by default and changing back to youtube needs manual edits or extra steps, I'm not comfortable with that even as a privacy maintainer as forcing things isn't the way to go in these cases imho.

It's up to the site owners (or editors etc) to select if they want youtube vs youtube-nocookie and then a different discussion starts, but practically it's their choice and we have to respect that.

Optimally there should be an option for example when youtube urls are identified with maybe a UI (simple input option) asking if they want to convert it to a youtube-nocookie. Or simply offer an extra youtube-nocookie embed. We can't force it though in my opinion.

The 'default' choice of users, whether we like it or not still is youtube.com I guess, so that should stay as the default behavior also.

Just my 2c.

Last edited 4 years ago by xkon (previous) (diff)

#46 in reply to: ↑ 44 ; follow-up: @adakaleh
4 years ago

Replying to xkon:

forcing things isn't the way to go

At the moment WordPress "forces" youtube.com embeds. There is no way around it: Wordpress must have a default. Wordpress currently defaults to surveillance.

Replying to johnbillion:

As much as I dislike being tracked around the internet, not being able to add a video to my Watch Later list is more of an annoyance.

Seriously? You can bookmark the link and... watch it later.

The extent to which we've been conditioned to undervalue our privacy never ceases to amaze me. This is why we're sliding into dystopia.

I agree that there are a few problems with changing the default:

  • the CSP issue
  • some people will complain about slight loss in functionality

Companies that want to track people are always going to make it hard for us to choose privacy. We have a duty to push back and reverse this: the least private option should be the hardest to choose.

Replying to xkon:

The 'default' choice of users, whether we like it or not still is youtube.com

That is Google's choice. Most users go along with the default without understanding what it entails. It's the resposiblity of developers like us to choose an ethical default.

Alas, we have a disagreement about the value of privacy. In that case...

Replying to johnbillion:

I was under the impression this would be an optional way to embed (eg. by pasting a youtube-nocookie URL)

I'll prepare a pull request to do just that. It will be an adaptation of @jepperask's code.

Replying to xkon:

Optimally there should be an option for example when youtube urls are identified with maybe a UI (simple input option) asking if they want to convert it to a youtube-nocookie. Or simply offer an extra youtube-nocookie embed.

Indeed, something like this would be better, but I'm not familiar enough with WordPress's codebase to implement it. Would be great if someone did.

#47 in reply to: ↑ 46 @jottevanger
4 years ago

100% with adakaleh on this. The default must be privacy: it's the ethical thing to do, consistent with WordPress' philosophy, but it is also a legal requirement of GDPR that we offer users informed consent prior to setting any privacy-relevant cookies (or other technologies). And this is not really a question of "I as a user think this may be inconvenient". It's one of "I as a site owner need to ensure my site is legal". Currently site owners are being obliged to either force third party cookies on users or depend on authors to use alternative, long-winded means of embedding YT videos.

The embedded video really must default to the "no-cookies" version, in the absence of either (a) some sort of hook to allow the integration of cookie consent solutions into how any built-in embeds are rendered; or (b) a UI for site owners or perhaps authors to manage how all or individual videos are rendered. Personally I think that (b) is the way to go: a site-level setting for admins to make the decision on what the default is, although to remain on the right side of the law they would be unwise not to make this the private version.

I understand the concerns, of course, but they may be overstated. As far as user experience goes, you can still add a video to "Watch later" or save it to faves: simply click the title to see the video on YouTube, at which point you'll be logged in (if you're logged in) and can do all the usual operations. Likewise with ad-free viewing for YouTube Premium users: just click through to see the video as a logged-in user.

The observations from @BjornW, @adakaleh and @xkon about cookies and local storage are really useful. I've done a bit more digging and would observe also:

  • www.youtube-nocookie.com does set a cookie, but only an essential one concerning consent status
  • the local storage entry "yt-remote-device-id" that @adakaleh noted does not appear to be sent with any requests to Google/YT. I've looked in the post data and request headers to both and can't find anything that seems to correspond to this, or is persistent across videos and page loads.
  • there is one header named "X-Goog-Visitor-Id", something like "CgthWHRxa2hqbENJSSiBk8SEBg%3D%3D", which is sent to youtube-nocookies.com e.g. when logging events (play data); at first glance looks like it will be a persistent identifier for the user, but it is different for each video and for each load of the same video.

So overall I'm happy that the "no-cookies" version of YouTube probably respects the spirit of privacy (and the law) as it claims. But we really need the work that has been going on here for three years to come to a conclusion and get into core, so site owners and platform hosts can do the right thing by their users and get legal!

#48 @BjornW
4 years ago

Hi @johnbillion considering your questions, are these answered or are you missing something? What would be needed to make this change towards a more privacy friendly WordPress happen? I'm asking you since you seem to be the last developer with commit access responding in this thread ;)

#49 follow-ups: @johnbillion
3 years ago

  • Keywords close added

As a site visitor I value my privacy and don't wish to be tracked bu YouTube around the web, but I also value the convenience of using features in the player that are present because I'm logged in, such as ad-free viewing, being able to save videos to a watch later list, and utilising viewing history. These concerns shouldn't be discounted just because an individual can use external tools to approximate this functionality.

If a UI to select between youtube and youtube-nocookie is added to the post editor at the point where an embed occurs then this places a decision burden on the site owner, when the decision to be tracked or not is one for the visitor themselves to make.

I'm honestly not sure how to proceed with this. I think this is something that cannot be fixed.

#50 in reply to: ↑ 49 @BjornW
3 years ago

Replying to johnbillion:

Thanks for your comment. I respectfully disagree. I think this is an issue we can & should fix.

A visitor is not responsible for a site and thus (sadly?) has no say in this at all, sorry. A site owner however is responsible for their site and has to deal with laws, policies and regulations. One of these policies in the EU for instance is the GDPR. That's also one of the reasons WordPress has a Privacy section in wp-admin nowadays.

Therefor a possible strategy in solving this could be extending the Privacy section in wp-admin with options related to these kind of issues. Plural, because there are and will be more issues like this.

A tab with options related to (in this case) embedding could be added. Each option allows the site-owner to make a decision with regards to privacy and embeds on their site. We could even use these options to automatically add information about this to the site's Privacy Policy. The defaults for these options would be open for discussion. Ultimately the site owner needs to be able to make an informed choice in this and communicate it with their public. Ignoring the issue at hand will not make it go away.

Therefor I request you & others to reconsider and strive towards fixing this issue together and make WordPress more privacy-friendly out-of-the-box.

#51 follow-up: @johnbillion
3 years ago

That's a different discussion as it affects all the oEmbed providers that WordPress supports plus any embed that a user pastes into the site that supports oEmbed Discovery. The burden is on the site owner to ensure their privacy policy and cookie policy is accurate if they or their editors use such embeds. I'd be happy to see a separate ticket for that.

#52 in reply to: ↑ 51 @jottevanger
3 years ago

Replying to johnbillion:

That's a different discussion as it affects all the oEmbed providers that WordPress supports plus any embed that a user pastes into the site that supports oEmbed Discovery. The burden is on the site owner to ensure their privacy policy and cookie policy is accurate if they or their editors use such embeds. I'd be happy to see a separate ticket for that.

I think if it's a different discussion & ticket then the discussion on this ticket needs to be about what the default WP behaviour should be, and it should be in favour of privacy/legality. That means YouTube should be a no-cookie embed by default; adding good controls to override this default can, as you say, be another ticket - in fact I can think of a lot of ways to tackle how this could work, both from the point of view of site owners having control over the default on their specific site, or connecting user consent or preferences to how an embed is rendered. But the WP default behaviour is crucial, and needs to favour non-tracking embeds for YouTube.

And as I noted before, whilst there are of course considerations for what logged-in YT users might want, they can always click on a "no-cookie" embedded video and see it as a logged in user. This puts the control into their hands. Whereas the reverse is not true: if they are shown a cookie-carrying video first there is no way they can then opt out.

#53 @williampatton
3 years ago

I quite heavily lean towards the default being a no-cookie option with a possibility to override that in a follow-up card.

It does have implications to existing site content and places where site owners may explicitly want a cookied YT experience but it is hard for me to know quite how far-reaching those implications may be and if they are really negative at all.

I am happy to step away from being this issue owner here if someone else wants to step in as I don't have a clear path forward anymore.

#54 @BjornW
3 years ago

Perhaps we can learn something from how other opensource projects? For instance this is Hugo's documentation on GDPR and YouTube. In it the authors explain how to setup Hugo's settings to adhere to the GDPR.

As far as I know this is currently not possible by a WordPress site-owner without having to build a custom solution using filters and actions (in so far as these are available).

The current YouTube embed would be perfect for this to iterate on. Why not limit ourselves (for now) to building this setting specifically for YouTube first into the Privacy Settings. Keep the url the same (tracking url) for current installs while new installs will use the 'no-cookie' url. Roll out and test this with more people. Depending on the result we can either remove it, change it or extend it to other embeds. If needed & possible it could be a tiny Beta plugin (like Gutenberg once was) shipped with WordPress to test the waters?

I'm willing to spend more time on this, but not without some support from one or more core committers so this issue can get the attention it deserves. Any core committers willing to support this?

#55 follow-up: @Mte90
3 years ago

In the meantime there is any hope to get new videos with nocookie.com?
There are websites with very strict requirements for GDPR and so on.

#56 in reply to: ↑ 55 @jottevanger
3 years ago

Replying to Mte90:

In the meantime there is any hope to get new videos with nocookie.com?
There are websites with very strict requirements for GDPR and so on.

Absolutely right, and it's remarkable that this hasn't been addressed yet in spite of the wealth of discussion and advice here! But in the meantime I just have this in my theme file:

add_filter( 'embed_oembed_html', 'privatise_oembed_youtube', 99, 4 );

function privatise_oembed_youtube( $cached_html, $url, $attr, $post_id ) {
    $cached_html = str_replace("www.youtube.com/embed","www.youtube-nocookie.com/embed", $cached_html);
    return $cached_html;
}

It will suffice for now!

#57 @Mte90
3 years ago

To me to achieve this is quite simple:

  • switch to nocookie version so the new ones are covered
  • write a detailed note like any WP release about the change for their security policy
  • publish a wp-cli snippet to replace all the articles with the old oembed
  • release a filter to switch to the previous youtube url (or new one) in case someone needs (in this way also cookie banners plugin can integrate this)
  • maybe extend this filter also for other services that have similar features

In this way it is the owner of the website that can decide what to do, but WP is bulletproof for any issues of this that is provided to all the millions installation that WP has.

This ticket was mentioned in Slack in #forums by cristiano.zanca. View the logs.


3 years ago

@adakaleh
2 years ago

Allow yt-nocookie embeds within posts

@adakaleh
2 years ago

Allow yt-nocookie embeds within headers

@adakaleh
2 years ago

misc. yt-nocookie regex changes

@adakaleh
2 years ago

Adjust YT regex within a test

#59 @adakaleh
2 years ago

Okay, let's see if we can finalize this. Switching to yt-nocookie everywhere would have been an easy win for privacy, but WordPress devs don't agree with the change. In any case, note that yt-nocookie alone is probably not sufficient for GDPR compliance, as the embed still sets some IDs in local storage that (I suppose) require the visitor's "consent".

A proper solution for third-party video embeds is to use an image placeholder that becomes an iframe when clicked. This method not only improves privacy, but also lifts the iframe's performance burden from the initial page load. There are plugins for this, but WordPress really should support it natively. The savings in terms of page load time and energy consumption would be massive, given the scale at which WordPress is used.

But until we get there, here are a few patches for converting youtube-nocookie links to youtube-nocookie embeds (see above):

  • The first patch allows nocookie embeds within posts.
  • The second does the same for video headers.
  • The third adds nocookie support to other youtube regular expressions. I don't know how they are used, but I figured they should match.
  • The fourth patch adjusts a youtube regex within a test.

There are also a few YT regular expressions within the TinyMCE code, but they probably should be dealt with upstream. Then again, the patches above seem to be sufficient for our purposes.

#60 @didierjm
2 years ago

My 2cts
Was sent to this thread, after posting a "non-support" comment https://wordpress.org/support/topic/youtube-oembed-cookies/#post-16150588 on the Performance Lab plugin page, as IMHO, this would be the "best" place to add such a feature, without modifying the core. The site owner could decide from there to activate (Yes/No) the change globally (with a purge of oEmbed cache to recreate URLs).

Even if it's an imperfect solution for privacy, it would be available for those who'd be interested.

PS: I have a blog with 2000+ posts containing YT videos. A manual change would be quite a problem for me...

#61 @adakaleh
2 years ago

@williampatton & @johnbillion: Three months ago I posted patches which solve this issue. Are WP devs going to check them? Do I need to submit a pull request on GitHub?

#62 in reply to: ↑ 49 ; follow-up: @desrosj
2 years ago

  • Keywords needs-dev-note removed
  • Owner williampatton deleted

Came across this ticket going through the report for tickets with the close keyword.

Replying to johnbillion:

As a site visitor I value my privacy and don't wish to be tracked bu YouTube around the web, but I also value the convenience of using features in the player that are present because I'm logged in, such as ad-free viewing, being able to save videos to a watch later list, and utilising viewing history. These concerns shouldn't be discounted just because an individual can use external tools to approximate this functionality.

Currently, my stance is that I strongly agree with this and I am of the opinion that this is not something that should be addressed in Core.

I would not be opposed to adjusting Core to be more receptive to allowing youtube-nocookie.com embeds, but I am a big -1 to making that the default experience and to exposing a UI for someone to make that choice in the editor.

From what I've gathered from the discussion above so far (disclaimer that I'm not a lawyer or someone thoroughly versed in GDPR):

  • The nocookie domain is not GDPR compliant, so the proposed change would not help sites progress in that direction.
  • As documented above, the URL formats accepted for this domain are much different than the primary one. This could be really frustrating for content editors that are not well versed in this.

From my perspective (and seemingly the perspective of several other Core Committers above), this seems like an instance of user preference and not one where a site owner should impose a preference on every visitor. Especially where the user does not have the ability to choose the regular experience. Where this change does not make a site GDPR compliant, allowing users to combine their used browser, add-ons/extensions, preferences, etc. to control how they consume content.

I think this would be a great plugin.

  • The site owner could choose the preferred default domain.
  • Users with accounts could decide their own preference and see it reflected when they're viewing content on the site.
  • etc.

I also disagree that the performance plugin is the best place to explore this.

I am inclined to close this out as a wontfix. However, there are several regular Core contributors that do work at Google and I'd like to see about getting any thoughts they may have. I'll ping them separately and invite them to engage if they'd like to. For now, I'll leave this marked as close and return in a month or two to actually close if there is no change of heart for the committers that have stated their preference already. I'm also clearing the ticket owner since @williampatton expressed a willingness to step aside since the path forward was not clear.

#63 in reply to: ↑ 62 @williampatton
2 years ago

Replying to desrosj:

I am inclined to close this out as a wontfix. However, there are several regular Core contributors that do work at Google and I'd like to see about getting any thoughts they may have. I'll ping them separately and invite them to engage if they'd like to. For now, I'll leave this marked as close and return in a month or two to actually close if there is no change of heart for the committers that have stated their preference already. I'm also clearing the ticket owner since @williampatton expressed a willingness to step aside since the path forward was not clear.

Thanks for clearing me of owner on this, I'd be happy to pick it back up and action on it if a path forward opens up again.

I've thought a lot about this ticket over many months and I can't make up my mind on exactly what would be right. I previously was of the opinion that making this the default for NEW content was the right option however I was under the impression at that time that it was fully GDPR compliant AND gave site visitors a free choice of how to view the video. Seems like that was not correct.

My latest thinking here is that I no longer believe making this a default (or even an exposed option) would be the right move. Adding an oembed handler for this wouldn't be a bad thing though if content creators chose to embed the links to this provider themselves.

#64 follow-up: @johnbillion
2 years ago

  • Keywords close removed

Based on the above discussions, the best option is to add support for the youtube-nocookie.com domain name to the automatic oEmbed handling, so site editors can choose to use that domain name and have embeds work as expected. The latests patches from @adakaleh do this. Testing of those patches would be appreciated.

There are plugins that have been available for many years that address general privacy concerns with embeds, and not just specific to YouTube:

#65 in reply to: ↑ 64 @didierjm
2 years ago

Thx John, just tested the "Better Core Video Embeds" and it works for me as a solution, as it does use the YT no-cookie URL in addition to other things.
Wasn't able to find it myself previously. Shame on me...
Have a good evening.
DJM

Replying to johnbillion:

There are plugins that have been available for many years that address general privacy concerns with embeds, and not just specific to YouTube:

#66 @masteradhoc
19 months ago

+1 to get some movement here and implement a nocookie mode

This ticket was mentioned in PR #651 on WordPress/wporg-mu-plugins by @ryelle.


3 months ago
#67

See https://github.com/WordPress/wporg-main-2022/issues/493#issuecomment-2316230298 — We'd like to use the "privacy-enhanced" youtube embeds, but the domain used is not supported by the core embeds. I've put this code in wporg-mu-plugins because I'll also want to use it on WCUS's livestream pages; and I can see needing it on other pages.

Hopefully the core ticket will be fixed at some point, and we can phase this out.

[youtube-nocookie title="Showcase Day video player"]https://www.youtube-nocookie.com/embed/PM2Ov8atqBw?si=4YwCx25TQfdWPcW_[/youtube-nocookie]

https://github.com/user-attachments/assets/1beca746-07c2-4527-9bbd-0191cabb5d55

To test

  • Find a youtube video
  • Click share, embed to get to the iframe code
  • Select "Enable privacy-enhanced mode."

https://github.com/user-attachments/assets/8145f131-c9b0-4408-9d31-b8f93aacd061

  • From there, copy out the src URL
  • Create or edit a post, add the shortcode block
  • Add the shortcode: [youtube-nocookie]COPIED URL[/youtube-nocookie]
  • Optionally set height, width, and title attributes

Try other URLs, it should only create the iframe for youtube-nocookie.com domains.

@ryelle commented on PR #651:


3 months ago
#68

Going to merge this so I can build out the WordCamp pages, but we can iterate if needed.

Note: See TracTickets for help on using tickets.