YouTube embedded player causes CORS errors - no CORP header provided [240387105]

Duplicate

of 229013699

Bug

Status Update

No update yet.

Description

or...@gmail.com

created issue #1

Jul 27, 2022 02:25PM

Description

When the embedder document is served with Cross-Origin-Embedder-Policy: require-corp the embedded player is not rendered. The response to the https://www.youtube.com/embed/[Any video] does not contain Cross-Origin-Resource-Policy header and the youtube.com/embed address is clearly intended for cross-origin resource sharing.

API request with parameters used (DO NOT include your credential)

Any video can be used to reproduce the issue.

E.g. https://www.youtube.com/embed/KXjq9cpHrU4

Result (copy and paste a JSON response you received)

The response to the resource is blocked

A screenshot showing the error messages has been attached to the issue.

Expected result

The player does not cause any error.

Is it 100% reproducible?

Yes when the Cross-Origin-Embedder-Policy header of the embedder document is set to require-corp

youtube-corp.png

55 KB

View

Download

Comments

hu...@google.com <hu...@google.com> Jul 27, 2022 02:58PM

Assigned to el...@google.com.

el...@google.com <el...@google.com> #2Jul 27, 2022 03:10PM

Hi, we have forwarded this issue to our engineering team. I'll let you know when there's an update. Thank you.

el...@google.com <el...@google.com> Aug 5, 2022 08:50AM

Status: Duplicate of

229013699

al...@gmail.com <al...@gmail.com> #3Aug 5, 2022 02:38PM

Hello,

I think it's worth mentioning just in case that this is not exactly a duplicate. The linked issue is mentioning a CORS error which even resolved wouldn't necessarily resolve this particular issue.

Here it's the CORP header that is missing, and at the moment unless the header Cross-Origin-Resource-Policy: cross-origin is added to the YouTube embed links responses, solving issue 229013699 will not help with this one.

At the moment there is no way to embed YouTube in a crossOriginIsolated site ( using the header Cross-Origin-Embedder-Policy: require-corp )

Neither this issue nor the linked one gives a status / reasons for this while like mentioned above, youtube.com/embed and youtube-nocookie.com/embed seems clearly intended for cross-origin resource sharing.

Can we expect to see this CORP header added soon ? Or an alternative way to embded YouTube videos in crossOriginIsolated sites ? Thanks your time.

hu...@google.com <hu...@google.com> Aug 8, 2022 03:19PM

Status: Duplicate of

229013699

jo...@gmail.com <jo...@gmail.com> #4Sep 16, 2022 09:13AM

Seems <iframe anonymous> will also do the thing, we need to wait though.

"anonymous" attribute feature status

https://chromestatus.com/feature/5729461725036544
Feature is available in chrome 105 under flag ` --enable-blink-features=AnonymousIframe` and can be tested on

https://anonymous-iframe.glitch.me/ look for "Status = Enabled"

Running chrome with the flag + `<iframe src="

https://www.youtube...." anonymous></iframe>` does work

jo...@gmail.com <jo...@gmail.com> #5Sep 16, 2022 09:29AM

This does not seem like duplicate of the

https://issuetracker.google.com/issues/229013699 which is CORS related. This one is CORP / COEP related.

al...@gmail.com <al...@gmail.com> #6Nov 3, 2022 01:05AM

The "duplicate" has been marked as fixed. What does it implies for this one?

jo...@gmail.com <jo...@gmail.com> #7Nov 24, 2022 12:24PM

I can see cross-origin-resource-policy: cross-origin (CORP) available in youtube embed response, however using chrome 107 (latest), still blocks the iframe with COEP error:

To embed this frame in your document, the response needs to enable the cross-origin embedder policy by specifying the following response header:
Cross-Origin-Embedder-Policy: require-corp

jo...@gmail.com <jo...@gmail.com> #8Nov 24, 2022 12:28PM

So basically when the embedder has following policy:

Cross-Origin-Embedder-Policy "require-corp" # or "credentialless"

youtube iframe response requires both:

Cross-Origin-Resource-Policy "cross-origin"
Cross-Origin-Embedder-Policy "require-corp" # or "credentialless"

al...@gmail.com <al...@gmail.com> #9Jan 27, 2023 03:48AM

Hello, this still isn't solved while the "duplicate" is marked as solved.

I agree with the above comment on what header is required.

Is this issue still tracked?

da...@gmail.com <da...@gmail.com> #10Mar 22, 2023 02:42PM

Hello; also here to confirm that this is still an issue and it's not really a duplicate of the CORS issue which has been fixed. It looks like this could be fixed with the <iframe credentialless> feature, but that one is still not available in most browsers.

re...@gmail.com <re...@gmail.com> #11May 25, 2023 11:29AM

Any updates on this? As it stands, a web page cannot use sharedArrayBuffer if it embeds a YouTube video, or vice versa. There is indeed the <iframe credentialless> work around but it only works in chromium based browsers. AFAI, there is no workaround in Safari and Firefox.

fg...@gmail.com <fg...@gmail.com> #12Jul 12, 2023 05:26AM

I am publishing a web-based game and it requires sharedArrayBuffer. If I add a youtube video to the same website the video is not visible due to this issue.

Any update on this?

al...@ssdllc.biz <al...@ssdllc.biz> #13Sep 20, 2023 07:24PM

trying to run ffmpeg.wasm with sharedArrayBuffer to upload videos. and also watch youtube videos on same site. not possible...

yu...@gmail.com <yu...@gmail.com> #14Sep 25, 2023 02:49PM

I am putting the embeds in a separate route that is not cross origin isolated for the moment.

br...@signinsolutions.com <br...@signinsolutions.com> #15Jan 12, 2024 10:53PM

Voting this up. As others mentioned, I can confirm that the issue still persists. This is not a duplicate of

https://issuetracker.google.com/issues/229013699 as this one here is regarding a COEP error because the Youtube iframe does not specify `Cross-Origin-Embedder-Policy "require-corp"` in its header. Can we unmark this as duplicate el...@google.com??

Unfortunately, using a `credentialless` iframe is not an option since not all browsers support it yet.

https://issuetracker.google.com/issues/240387105#comment14 comment is a possible workaround but very convoluted just to being able to display a video.

da...@mentorcity.com <da...@mentorcity.com> #16Feb 2, 2024 03:58PM

The status is incorrect. This is not the same as the referenced bug. Looking for an update on this, please.

99...@gmail.com <99...@gmail.com> #17Apr 25, 2024 02:44PM

Duplicate status needs to be removed! How many years will it take for google to fix this?

Perhaps someone ought to create a new issue?

ri...@metadrop.net <ri...@metadrop.net> #18Jul 8, 2024 06:27PM

I've created a new issue, see

https://issuetracker.google.com/issues/351843802

Feel free to add any missing information.

pa...@nordsec.com <pa...@nordsec.com> #19Dec 16, 2024 03:25PM

Comment has been deleted.

Message last modified on Dec 16, 2024 03:26PM

pa...@gmail.com <pa...@gmail.com> #20Dec 16, 2024 03:28PM

as others mentioned already - it's NOT a duplicate of 229013699
google please fix the status and take a look into the issue as it still persists