-- Leo's gemini proxy

-- Connecting to michaelnordmeyer.com:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;lang=en-US

Embedding YouTube Videos Without Sending the Site’s URL to YouTube


Some time ago I wrote about how to embed YouTube videos in a privacy-friendly manner. This explains how to avoid cookies on the user’s devices when playing an embedded YouTube video.


How To Embed YouTube Videos in a Privacy-Friendly Manner


This time I write about how to remove the HTTP referrer from a manual `iframe` embed to keep the embedding site’s privacy.


Document Referrer Specification


For some CMS pasting the YouTube link is enough, and user’s can hope the CMS does the right thing, otherwise you can paste the `iframe` manually, like you would for static site generators. And we can do better.


An ordinary YouTube embed is an iframe and might look like this:


<iframe
  title="“A sample video” on YouTube"
  src="https://www.youtube-nocookie.com/embed/aBcDeFgHiJk?rel=0"
  style="border: none"
  allow="fullscreen; picture-in-picture"
  loading="lazy"
  referrerpolicy="no-referrer">
</iframe>

iframe Specification


You give it a nice title (“A sample video” on YouTube), link to the video (`src`), add a `?rel=0` to the URL to not display related videos, add some styling, allow fullscreen and picture-in-picture, and load the video embed only if it’s visible (`loading="lazy"`).


The important bit is to not send a referrer to YouTube to keep your privacy (`referrerpolicy`). Otherwise the URL of the embedding page will be sent to YouTube. Not a big deal, but why expose more information to Google for no benefit at all.


Referrer Policy Specification


The technical explanation of the relevant part, copied verbatim from Mozilla’s Developer Network:


> Inside an `<iframe>`, the `Document.referrer` will initially be set to the same value as the `href` of the parent window’s `Window.location`.


Document Referrer Specification


The currently copyable embed code on YouTube.com will set `strict-origin-when-cross-origin` as the `referrerpolicy`, which is the default in all browsers, and I quote the MDN again:


> Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).


I have no idea why YouTube is setting this explicitly, maybe to accommodate ancient browser, but `no-referrer` is better anyway, because we don’t want to send any information.


While I still have six posts from 2009 through 2011 on my site which embed YouTube videos, I’m starting to think, that embedding is not the greatest idea anymore and just linking to them is good enough.

-- Response ended

-- Page fetched on Mon May 6 17:47:31 2024