Do not use third-party cookies in embedded videos #5548
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
javierm
changed the title
javierm
changed the title
We were using the same code, and the same regular expressions, in two places. To do so, we were including a helper inside a model, which is something we don't usually do.
No that it's no longer a helper, we can extract method without fearing they will have the same name as other helper methods.
When using `<%= `, `nil` is converted to an empty string, so there's no need to explicitely return an empty string.
We were using `reg_exp` as the method name, when it returned `VIMEO_REGEX` or `YOUTUBE_REGEX`. So using `regex` as the method name is less confusing.
Now we're also testing that there's an iframe with the URL; before this change, the test would pass even if the JavaScript generating the iframe wouldn't work.
When embedding a video in our site YouTube stores cookies in the user's computer that aren't necessary to watch the video, so we'd have to make people accept those cookies before letting them watch the video. Using a URL that doesn't use cookies, like mentioned in YouTube Help [1], is easier, though, and respects people's privacy without affecting the user experience. That I've found some references saying that youtube does store cookies once you hit the "play" button even when using the nocookie server [2]. Not sure whether that's an old behavior or I'm doing something wrong, but I don't see this is the case; even after playing the video, cookies aren't stored on my browser. [1] https://support.google.com/youtube/answer/171780#zippy=%2Cturn-on-privacy-enhanced-mode [2] https://www.cnet.com/news/privacy/youtubes-new-nocookie-feature-continues-to-serve-cookies/
taitus
approved these changes
Jun 7, 2024
With this parameter, Vimeo no longer uses cookies that identifies users browsing our site. They do still store some cookies, though; quoting from Vimeo player parameters overview: > When DNT is enabled, Vimeo deploys one essential cookie via the > embeddable player: > The __cf_bm cookie, which is part of Cloudflare's Bot Management > service and helps mitigate risk associated with spam and bot traffic. Not sure whether this counts as essential cookies in our case; they're essential for Vimeo, but for us, they're third-party cookies, after all. [1] https://help.vimeo.com/hc/en-us/articles/12426260232977-Player-parameters-overview
|
The failing test is not related to this pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
References
Objectives
Notes
Even with these changes, Vimeo still stores cookies that we cannot avoid; quoting from Vimeo player parameters overview:
Not sure whether Google stores a NID cookie when playing YouTube videos 馃. I haven't been able to reproduce it.
Sponsored
Functionality developed by