Make WordPress Core

Opened 2 years ago

Last modified 8 weeks ago

#44610 assigned enhancement

Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

Reported by: jepperask Owned by: williampatton
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.7
Component: Embeds Keywords: needs-testing has-patch
Focuses: privacy Cc:


The file "wp-includes/class-wp-customize-manager.php" includes a function "_validate_external_header_video( $validity, $value )". The regex used in this function is incomplete, as some urls are invalidated in the customizer. What is interesting is that the regex used in "wp-includes/js/wp-custom-header.js" (which actually sets the youtube video), is different and validates e.g the youtube-nocookie.com URLs, that I think more people will need due to GDPR.

In the javascript file, it actually quotes a stackoverflow regex found at: http://stackoverflow.com/a/27728417


Update the regex in "wp-includes/class-wp-customize-manager.php" (line 5664) to match the one used in "wp-includes/js/wp-custom-header.js" (line 379).

Attachments (2)

44610.diff (6.4 KB) - added by jepperask 2 years ago.
44610.2.diff (5.2 KB) - added by jepperask 2 years ago.

Download all attachments as: .zip

Change History (23)

#1 @jepperask
2 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#2 @jepperask
2 years ago

Closed as it seems the JS-file needs more work, even if the URL is validated with e.g a youtube-nocookie.com URL.

#3 @netweb
2 years ago

  • Milestone Awaiting Review deleted

#4 @jepperask
2 years ago

  • Keywords needs-testing 2nd-opinion needs-unit-tests added
  • Resolution invalid deleted
  • Status changed from closed to reopened

I've done some more digging and made it show the no-cookie version, however autoplay does not seem consistant.
I'm new to this part of Wordpress - can i submit a pull-request for review and input from others somewhere?

My changes are simply updating the regex (PHP) and adding an argument to the YT.Player initialization (JS). Resolving the 'host' argument is a bit clumsy, so I'd appreciate if someone would take over.

Otherwise here comes a description of my changes:
wp-includes/class-wp-customize-manager.php:5664 - change function to:

public function _validate_external_header_video( $validity, $value ) {
        $video = esc_url_raw( $value );
        if ( $video ) {
                if ( ! preg_match( '#^https?://(?:www\.)?(youtube|youtube-nocookie)\.com/(watch|embed|youtu\.be/)#', $video ) ) {
                        $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) );
        return $validity;

wp-includes/theme.php:1402 - change line to:

if ( preg_match( '#^https?://(?:www\.)?(youtube|youtube-nocookie)\.com/(watch|embed|youtu\.be/)#', $video_url ) ) {

wp-includes/js/wp-custom-header.js:394 - add "host" argument to YT.Player settings dictionary:

host: location.protocol + this.settings.videoUrl.indexOf("youtube-nocookie") !== -1 ? "//www.youtube-nocookie.com" : "//www.youtube.com",
Version 2, edited 2 years ago by jepperask (previous) (next) (diff)

#5 @jepperask
2 years ago

  • Summary changed from Update regex used for YouTube videos in class-wp-customize-manager.php::_validate_external_header_video() to Allow Youtube-Player to use youtube-nocookie.com URLS to avoid setting cookies.

#6 @jepperask
2 years ago

  • Keywords has-patch added

#7 @birgire
2 years ago

  • Focuses privacy added

Welcome to WordPress Core Trac @jepperask

The scope of the ticket seems to be the YouTube url in the Header Media of the Customizer.

Here's some info on YouTube's Privacy Enhanced Mode:

Privacy Enhanced Mode allows you to embed YouTube videos without using cookies to track viewing
behavior. This means viewing activity isn’t collected to personalize the viewing experience. Instead,
video recommendations are contextual and related to the currently played video. Videos playing in a
Privacy Enhanced Mode embedded player won’t influence the viewer's browsing experience on YouTube.

(The Privacy Enhanced Mode only relates to tracking of viewer behavior, not ads-serving behavior.
To disable tracking for advertising purposes, you can add yourself to the Tag for Child-Directed
Treatment page.)


If the viewer clicks or taps out of the embed and is redirected to another website or app, 
that website or app may track the viewer’s behavior as per that website’s or app’s policies and terms.
Privacy Enhanced Mode is currently available only for embedded players on websites. Developers will
have to wrap the Privacy Enhanced Mode player into a web-view instance in order to use it in apps.
To use Privacy Enhanced Mode, change the domain for the embed URL in your HTML from 
https://www.youtube.com to https://www.youtube-nocookie.com as shown in the following example:

<iframe width="1440" height="762" 
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

<iframe width="1440" height="762" src="https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE"
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

Since this is a different domain, network administrators also need to add the domain 
youtube-nocookie.com to their firewall whitelist in addition to youtube.com.



This seems to be the supported format:


I tested various versions (with browser and curl) that did not work:


If supporting the Privacy Enhanced Mode is the way to go, should the:


be the only supported format for the youtube-nocookie.com urls ?

#8 @birgire
2 years ago

ps: we could also note that it's currently not supported to embed


e.g. in the post content and in the Video widget, while


is supported.

#9 @jepperask
2 years ago

Thank you for the feedback. It appears I was missing some parentheses in the javascript code:

host: location.protocol + ((this.settings.videoUrl.indexOf("youtube-nocookie") !== -1) ? "//www.youtube-nocookie.com" : "//www.youtube.com"),

Using my changes to the code, I succesfully got it to play the following URLs (TwentySeventeen setting the Header Media on a fresh install):

I'll test more if needed. If you inspect the JS-file, you will find that the Regex is extracting the video-ID, and regardless of what the original URL was, it will appropriately set the URL to:


Schema is set to location.protocol, as I was unable to set the host argument with https when called from my localhost (http).

Last edited 2 years ago by jepperask (previous) (diff)

2 years ago

#10 @jepperask
2 years ago

The embedded HTML in posts appears to origin from https://www.youtube.com/oembed. Regardless of whether it is a youtube.com or youtube-nocookie.com URL we're trying to embed, the returned HTML is an iframe with src set to a youtube.com URL.

Unless we can find information on how to query youtube-oembed for a youtube-nocookie.com URL as src in the iframe, I believe our only choice is to string-replace the src. I have succesfully embedded a youtube-nocookie.com video this way, without any cookies being set.

2 years ago

#11 @swissspidy
19 months ago

  • Component changed from Customize to Embeds
  • Keywords needs-patch added; 2nd-opinion needs-unit-tests has-patch removed
  • Milestone set to 5.1

#12 @pento
18 months ago

  • Milestone changed from 5.1 to Future Release

This needs testing and a decision.

This ticket was mentioned in Slack in #core by jeroenrotty. View the logs.

15 months ago

#14 follow-up: @williampatton
9 months ago

  • Keywords has-patch added; needs-patch removed
  • Owner set to williampatton
  • Status changed from reopened to assigned

I'm gonna pick this one up as I'd like to see some movement on it. I'll do some testing on the patch when I am able.

@jepperask thank you for providing the initial patches for this approach. On a scan it seems like an ok way to handle it, do we need those changes to the packages.lock file though to make this happen?

#15 @ChriCo
7 months ago

What's the state of this Issue? No movement in 7 weeks now. :)

#16 in reply to: ↑ 14 @jepperask
7 months ago

Replying to williampatton:

I'm gonna pick this one up as I'd like to see some movement on it. I'll do some testing on the patch when I am able.

@jepperask thank you for providing the initial patches for this approach. On a scan it seems like an ok way to handle it, do we need those changes to the packages.lock file though to make this happen?

No, feel free to change/remove anything. :-P

#17 @TimothyBlynJacobs
3 months ago

#49800 was marked as a duplicate.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.

3 months ago

#19 @paapst
3 months ago

Not sure that the YouTube-Nocookie solution actually helps with GDPR compliance. I know that @rogierlankhorst has written an article about it a while ago : https://complianz.io/youtube-and-the-gdpr-how-to-embed-youtube-on-your-site/ The user apparently still gets YouTube cookies as soon as they hit the play button.

#20 @RogierLankhorst
3 months ago

@paapst is correct: the no-cookie solution is called the "delayed cookie option" by Google, it's not a "no cookie" solution. Because the user does not explicitly consent to cookies when the video is started, this is not GDPR compliant.

#21 @utrenkner
8 weeks ago

@paapst and @RogierLankhorst Even though it is not GDPR compliant, it is a much better solution in terms of privacy. When users just open the webpage with the embedded video, no YouTube cookies are set. Only when click to play, are YouTube-cookies set.

I would love to see this in WordPress. I recommended the nocookie-URL to a client of mine, but was surprised that WordPress did not yet support the embedding of the nocookie-URL. I tried fixing this, myself, before I found out how many files need changes. And before I found this ticket...

Would be happy to test a patch!

Note: See TracTickets for help on using tickets.