Youtube videos don't play

[Symbai]

Hello,

when Referrer-Spoofing is active, youtube videos don't play. Something they changed as it worked weeks ago without an issue.

[gorhill]

When referrer-spoofing breaks a web site, the solution is to disable referrer-spoofing.

[Symbai]

Or to use another addon where referrer-spoofing does not break the video playback.
Or to use the stable 0.9.1.2 because there it does NOT break the video playback.
Or to stop giving stupid answers and fix the problem?

I've not signed up myself here to report an issue to hear if I have problems I should stop using the feature then. Just saying. It has worked before, it works on 0.9.1.2, it works with other addons providing the same feature. It does NOT work with the latest beta of uMatrix.

[gorhill]

See CONTRIBUTING, then compare against the issue you filed.

You said yourself "something they changed", so I assumed you actually researched this and came to the conclusion the issue was server-side, not uMatrix-side, this is your own words.

[Symbai]

I haven't looked at this file. Guess its my mistake then, I apologize. So will you take a look on it?

[zummuz]

@Symbai provide some details that gorhill would be able to reproduce the issue:
What browser do you use, OS?
What version of uMatrix, because stable for firefox is 0.9.2.1 and for chromium-based is 0.9.2.0 and there is dev version?
What settings in the privacy tab in the settings of the extension are checked?
Videos don't play from home page of youtube or when you turn on youtube's playlist, etc?

update:sorry I haven't noticed you provided that you use the latest beta of uMatrix.

[danieljl]

Same problem here. Firefox 41.0, Windows 8.1, referrer spoofing on.

Version 0.9.2.2b4 breaks YouTube, but when I switch back to 0.9.2.1, it works.

[0xBRM]

Must be a windows issue. Gentoo here, FF 40.0.0.3, tried with both flash and html5, referrer spoofing on, and it just works™.

[zummuz]

@Symbai @danieljl I just tried on firefox 34.0.5 (portable version), uMatrix 0.9.2.2b4, windows 7, "Spoof HTTP referrer string of third-party requests" is checked, html5 - youtube works fine.
Do you allow scripts on the site? Maybe your rules were purged on extension update? Do videos work when referrer spoofing is unchecked?

Check this lines in "My rules" tab:
youtube.com googlevideo.com other allow
youtube.com googlevideo.com xhr allow
youtube.com ytimg.com script allow

[0xBRM]

Why don't you ( @Symbai @danieljl ) post the logger output?

[L-a-n-g-o-l-i-e-r-s]

Hi there, I have the same issue when I enable spoofing it breaks HTML5 playback and YouTube reverts to flash after some time. I am using Firefox 41.0.1 on Windows 10 x64 with uMatrix 0.9.3.0rc1 with Referrer-Spoofing activated. When Referrer-Spoofing is disabled HTML5 playback works again on YouTube.

I confirmed my rules are set up correctly and they're somewhat more liberal even. Here is the "full" log up to the moment it falls back to flash video (which is set for click to activate). I hope you find this information beneficial.

Thanks for your hard work!

Referrer-Spoofing Enabled: uMatrix 0.9.3.0rc1
http://pastebin.com/w0gj0gRV
Referrer-Spoofing Disabled: (Working Correctly) uMatrix 0.9.3.0rc1
http://pastebin.com/3XdJwxxL
Referrer-Spoofing Enabled: (Working Correctly) uMatrix 0.9.2.1
http://pastebin.com/u6yzFRSy

Is it at all possible that the spoofing feature was broken on uMatrix 0.9.2.1 and the functionality was then fixed in this context? It also should be noted that for testing purposes the videos were allowed to buffer and not play, the first that defaulted to flash was in click to play mode and not allowed to buffer. No user agent overrides were used in any instance.

[gorhill]

Interesting, I could reproduce it in Nightly, but not in FF41 earlier.

[gorhill]

Strange, exact same page in FF41 and Nightly + exact same uMatrix configuration in FF41 and Nightly:

FF41 plays fine with referrer spoofing enabled
Nightly does not play with referrer spoofing enabled

Using Network tab, I see FF41 being served a single mp4 file from googlevideo.com, while Nightly is being served chunks of webm file from googlevideo.com.

[ghost]

What happens if you switch-spoof their user agents?

[gorhill]

I turned off UA spoofing on Youtube to be sure it wasn't the issue.

[L-a-n-g-o-l-i-e-r-s]

I should have elaborated, in no instances was I using a user agent override of any kind.

[ghost]

Sorry, did not mean to imply UA spoofing was already on. I was merely trying to suggest turning it on, and making each FF instance pretend it's the other one :)

[gorhill]

Using FF41 UA string in Nightly does not help. Biggest difference is one is served MP4, the other webm.

[L-a-n-g-o-l-i-e-r-s]

Right, but how does that effect the two different versions of uMatrix where one works on 41.0.1 and one doesn't? (in my set up anyway) Which brings me back to my question is it possible that uMatrix Referrer-Spoofing feature could have been broken for YouTube in 0.9.2.1?

Thanks

[marinmo]

I can confirm this bug, using Firefox 41.0.1, uMatrix 0.9.3.0rc1, however, in both cases for me youtube sends a webm, only that one doesn't play. I have no hard evidence, but I suspect it might have something to do with youtube not using SSL (secure connection) for the video data when using UA-spoofing, despite accessing youtube via HTTPS - the URIs used for sending video looks quite radically different (I can provide examples should you require them).

[L-a-n-g-o-l-i-e-r-s]

I am using HTTSPEverywhere, what you're saying still doesn't explain why every time 0.9.2.1 works with 41.0.1 and the other doesn't. If it is sending a different file because I'm using a different version of the extension, on the same version of the browser and windows then we have a real problem here I think.

[marinmo]

My post was not related to what you've been saying what-so-ever. gorhill already reported that FF41 plays fine with referrer-spoofing, while it does not for me. Also, I'm being served webm in both cases while you are being served mp4.

[L-a-n-g-o-l-i-e-r-s]

requiressl=yes is in the same content link it is serving me, how about you post your log?

Are you using any extensions/userscripts which change youtube prefs such as Youtube Center? What is your OS platform?

Thanks

[marinmo]

Sorry about that. Win10, I am using YTC. Disabling YTC still sends me webm video. Logs provided below:
Without UA spoofing:
http://pastebin.com/k2tjr3uz
With UA spoofing:
http://pastebin.com/eDibunwm

[iamzam]

what happens if you turn webm off in about:config (search for webm)? Do you get the mp4 file then?

[wfdd]

This does not only happen in Firefox and is related to the new origin logic in 2224ece (lines 259–272). Chromium spits out the following error:

XMLHttpRequest cannot load https://r4---sn-jtu5-aj5e.googlevideo.com/[..]. The 'Access-Control-Allow-Origin' header has a value 'https://r4---sn-jtu5-aj5e.googlevideo.com' that is not equal to the supplied origin. Origin 'https://www.youtube.com' is therefore not allowed access.

I've not studied the code especially fastidiously, but—evidently—uMatrix sets the value of origin to the host name of the very first origin (which, presumably, is unintentional; if we're to avoid leaking the origin, it should be set to the host name of the target).

[gorhill]

uMatrix sets the value of origin to the host name of the very first origin

No, uMatrix sets the value of origin to the destination (a subdomain of googlevideo.com), in order to prevent the server behind googlevideo.com to know that the party making the request is a page on youtube.com.

I can reproduce with Chromium as well as you report. The error message says "supplied origin": this does not come from the headers, because dev console shows these are spoofed as expected by uMatrix.

So this is the issue: modifying the Origin header breaks Youtube. The spoofing of the Origin header was added as a fix for #320. If I comment out the spoofing of the Origin header, the videos play properly.

So essentially this means referrer spoofing breaks Youtube, so it will have to be disabled on Youtube.

[wfdd]

Ok, if I'm understanding this correctly, googlevideo.com dynamically sets the value of Access-Control-Allow-Origin to the value of the supplied Origin (googlevideo.com, in this particular instance); however, the browser rejects to fulfil the request in the knowledge that it actually originated from YouTube. Given that CORS is an important security feature, it seems rather unlikely that we might be able to override this behaviour.

Thank you for your patience in dealing with this issue.

[L-a-n-g-o-l-i-e-r-s]

https://github.com/gorhill/uMatrix/wiki/Per-scope-switches uMatrix has an option for per site basis via the 3 dot menu, so you don't have to fully disable the option. (Thanks gorhill)

[Greed1]

On Clubic.com the same issue occurs with livefyre. If the referrer spoofing is enabled the comments won't appear. Everything was fine with 0.9.2.1

example: http://www.clubic.com/mag/culture/actualite-783092-quiz-connaissez-retour-futur.html

[gorhill]

Everything was fine with 0.9.2.1

Because the Origin header, if present, was not spoofed. Spoofing Referer header without spoofing Origin header is not very useful. Bottomline, if referrer spoofing interfere with the proper functioning of a site, disable it for that site.

[mooglestiltzkin]

its shown here how to disable for youtube.com
https://github.com/gorhill/uMatrix/wiki/Per-scope-switches

but i dont know whether this also applies for other sites that embed youtube. do we need to manually disable scope for those as well? Cause i run into a lot of forums like those :/

[gorhill]

i dont know whether this also applies for other sites that embed youtube

It always applies to the hostname in the URL of the web page.

[gorhill]

I will remove the spoofing of the Origin header for the time being, this is causing too much problems at this point, and having to disable spoofing wherever there is a Youtube video embedded results in less privacy overall. More thoughts and reading needed on how to best deal with the Origin header -- and if needed at all.

https://tools.ietf.org/id/draft-abarth-origin-03.html#rfc.section.7:

7. Privacy Considerations

This section is not normative.

The Origin header improves on the Referer header by respecting the user's privacy: The Origin header includes only the information required to identify the principal that initiated the request (typically the scheme, host, and port of initiating origin). In particular, the Origin header does not contain the path or query portions of the URI included in the Referer header that invade privacy without providing additional security.

The Origin header also improves on the Referer header by not leaking intranet host names to external web sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate privacy-sensitive requests.

[gorhill]

Fixed with 8c6b94e.

[Drugoy]

Just wanted to leave some feedback: I feel like this was a sad decision to remove Origin header spoofing. Isn't there a way to fix the youtube's work without removing the spoofing?

[Atavic]

No, google enforces it.

[Drugoy]

How?

[gorhill]

Whoever disagree with the decision, feel free to contribute a comprehensive solution.

[Atavic]

@Drugoy Javascript. Another case is restricting embedded videos.

[Drugoy]

@Atavic Javascript can be blocked or get handled like in NoScript (it utilizes surrogates so that the script is working but doesn't report anything to anywhere).