Web: YouTube embeds broken #411
Comments
|
Potentially related error: {"hostName":"playground.wordpress.net","msg":"\u003Cspan jscontent="hostName">\u003C/span> is blocked"},"hideDetails":"Hide details","iconClass":"icon-generic","language":"en","suggestionsDetails":[],"suggestionsSummaryList":[],"summary":{"failedUrl":"https://playground.wordpress.net/scope:0.6838545064196246/wp-admin/admin.php?page=graphiql-ide","hostName":"playground.wordpress.net","msg":"\u003Cstrong jscontent="hostName">\u003C/strong> refused to connect."},"textdirection":"ltr","title":"playground.wordpress.net"} |
|
It's worth noting that adding credentialless to the embed iframe like However, let's think about it some more. Making a choice, like Maybe Playground doesn't need to provide the Chrome developer blog says:
That would work perfectly here. Here's what MDN says about the
|
These headers were introduced to enable embedding Playground on sites where CORP headers are set. However, choosing a header value like require-corp or credentialless has consequences for both sites trying to embed Playground, and the sites Playground wants to embed. In particular, it broke YouTube embeds (#411). Let's rollback these headers for now. Embedding Playground should still be possible on sites with CORP headers by using a credentialless iframe: [Chrome developer blog](https://developer.chrome.com/blog/iframe-credentialless/) says: > We're introducing <iframe credentialless> to help embed third-party iframes that don't set COEP Credentialless iframes generate ephemeral contexts for cookies and storage that are destroyed once the user navigates away from the top-level page. For the most part, it doesn't matter in Playground. In the future we might see a use-case for preserving the state of Playground embedded in a credentialless iframe. Let's revisit these headers if and when that happens,. Solves #411
These headers were introduced to enable embedding Playground on sites where CORP headers are set. However, choosing a header value like require-corp or credentialless has consequences for both sites trying to embed Playground, and the sites Playground wants to embed. In particular, it broke YouTube embeds (#411). Let's rollback these headers for now. Embedding Playground should still be possible on sites with CORP headers by using a credentialless iframe: [Chrome developer blog](https://developer.chrome.com/blog/iframe-credentialless/) says: > We're introducing <iframe credentialless> to help embed third-party iframes that don't set COEP Credentialless iframes generate ephemeral contexts for cookies and storage that are destroyed once the user navigates away from the top-level page. For the most part, it doesn't matter in Playground. In the future we might see a use-case for preserving the state of Playground embedded in a credentialless iframe. Let's revisit these headers if and when that happens,. Solves #411 Related to #586
|
Fixed in #695 |
The web version of Playground serves a
Cross-Origin-Embedder-Policy: credentiallessheader which conflicts withCross-Origin-Embedder-Policy: require-corpserved by YouTube. As a result, iframed videos don't load.The
credentiallessheader got added to support embedding in StackBlitz. However, that use-case didn't pick up much steam.Let's remove the
Cross-Origin-Embedder-Policyheader entirely for now, and if it's needed later, add it behind a Query API flag.The text was updated successfully, but these errors were encountered: