-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web: YouTube embeds broken #411
Comments
Potentially related error: {"hostName":"playground.wordpress.net","msg":"\u003Cspan jscontent="hostName">\u003C/span> is blocked"},"hideDetails":"Hide details","iconClass":"icon-generic","language":"en","suggestionsDetails":[],"suggestionsSummaryList":[],"summary":{"failedUrl":"https://playground.wordpress.net/scope:0.6838545064196246/wp-admin/admin.php?page=graphiql-ide","hostName":"playground.wordpress.net","msg":"\u003Cstrong jscontent="hostName">\u003C/strong> refused to connect."},"textdirection":"ltr","title":"playground.wordpress.net"} |
It's worth noting that adding credentialless to the embed iframe like However, let's think about it some more. Making a choice, like Maybe Playground doesn't need to provide the Chrome developer blog says:
That would work perfectly here. Here's what MDN says about the
|
These headers were introduced to enable embedding Playground on sites where CORP headers are set. However, choosing a header value like require-corp or credentialless has consequences for both sites trying to embed Playground, and the sites Playground wants to embed. In particular, it broke YouTube embeds (#411). Let's rollback these headers for now. Embedding Playground should still be possible on sites with CORP headers by using a credentialless iframe: [Chrome developer blog](https://developer.chrome.com/blog/iframe-credentialless/) says: > We're introducing <iframe credentialless> to help embed third-party iframes that don't set COEP Credentialless iframes generate ephemeral contexts for cookies and storage that are destroyed once the user navigates away from the top-level page. For the most part, it doesn't matter in Playground. In the future we might see a use-case for preserving the state of Playground embedded in a credentialless iframe. Let's revisit these headers if and when that happens,. Solves #411
These headers were introduced to enable embedding Playground on sites where CORP headers are set. However, choosing a header value like require-corp or credentialless has consequences for both sites trying to embed Playground, and the sites Playground wants to embed. In particular, it broke YouTube embeds (#411). Let's rollback these headers for now. Embedding Playground should still be possible on sites with CORP headers by using a credentialless iframe: [Chrome developer blog](https://developer.chrome.com/blog/iframe-credentialless/) says: > We're introducing <iframe credentialless> to help embed third-party iframes that don't set COEP Credentialless iframes generate ephemeral contexts for cookies and storage that are destroyed once the user navigates away from the top-level page. For the most part, it doesn't matter in Playground. In the future we might see a use-case for preserving the state of Playground embedded in a credentialless iframe. Let's revisit these headers if and when that happens,. Solves #411 Related to #586
Fixed in #695 |
The web version of Playground serves a
Cross-Origin-Embedder-Policy: credentialless
header which conflicts withCross-Origin-Embedder-Policy: require-corp
served by YouTube. As a result, iframed videos don't load.The
credentialless
header got added to support embedding in StackBlitz. However, that use-case didn't pick up much steam.Let's remove the
Cross-Origin-Embedder-Policy
header entirely for now, and if it's needed later, add it behind a Query API flag.The text was updated successfully, but these errors were encountered: