x/website: Content Security Policy breaks embedded YouTube videos

[shubh1m]

What is the URL of the page with the issue?

https://go.dev/blog/io2010

What is your user agent?

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Screenshot

What did you do?

What did you expect to see?

What did you see instead?

[hsblhsn]

I think it's a content blocker in your browser that is blocking youtube video embedding via iframe.

For convenience, here is the video link that was being blocked. https://www.youtube.com/watch?v=jgVhBThJdXc

[cespare]

No, this is a site issue. It's blocked because of the Content-Security-Policy header.

Here's the value of the CSP header served on the linked page:

connect-src 'self' https://golang.org www.google-analytics.com stats.g.doubleclick.net; default-src 'self'; font-src 'self' fonts.googleapis.com fonts.gstatic.com data:; frame-ancestors 'none'; frame-src 'self' www.google.com feedback.googleusercontent.com www.googletagmanager.com scone-pa.clients6.google.com; img-src 'self' www.google.com www.google-analytics.com ssl.gstatic.com www.gstatic.com gstatic.com data: *; object-src 'none'; script-src 'self' 'sha256-n6OdwTrm52KqKm6aHYgD0TFUdMgww4a0GQlIAVrMzck=' 'sha256-4ryYrf7Y5daLOBv0CpYtyBIcJPZkRD2eBPdfqsN3r1M=' 'sha256-sVKX08+SqOmnWhiySYk3xC7RDUgKyAkmbXV2GWts4fo=' www.google.com apis.google.com www.gstatic.com gstatic.com support.google.com www.googletagmanager.com www.google-analytics.com ssl.google-analytics.com tagmanager.google.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com feedback.googleusercontent.com www.gstatic.com gstatic.com tagmanager.google.com;

and here's my JS console:

[gopherbot]

Change https://golang.org/cl/347212 mentions this issue: cmd/golangorg: fix Content Security Policy breaks embedded YouTube videos