[Website] The "invidious (dot) snopyta (dot) org" embeds are broken (Error 403 - Forbidden) and are causing "suspicious" behavior.

[WinkelCode]

Relevant lines of code: https://github.com/AppImage/AppImageKit/blob/website/index.jinja2#L336 https://github.com/AppImage/AppImageKit/blob/website/index.jinja2#L359

I tested it on my own machine and just in case using browserling.com and I think it's safe to assume the links are broken for everyone. Edit: Here is the urlscan.io result: https://urlscan.io/result/d674c5d9-c11c-4cbd-89b2-b682e367f81d/#transactions

The biggest issue is that on mobile (or at least on my iPad using Safari), the website immediately upon visiting, is prompting the user to download the two embeds as files, which seems incredibly suspicious.

I would suggest either replacing the embeds with something else, or at least removing them entirely for now.

Here are the "real" YouTube links: https://www.youtube.com/watch?v=mVVP77jC8Fc https://www.youtube.com/watch?v=nzZ6Ikc7juw

[probonopd]

https://invidious.snopyta.org/embed/mVVP77jC8Fc and https://invidious.snopyta.org/embed/nzZ6Ikc7juw seem to play fine for me.

Maybe there was an intermittent issue?

[WinkelCode]

The links, when visited directly, do seem to work, but the embeds are what's broken. Here is a urlscan result from just now: https://urlscan.io/result/b3d59b45-adab-44e5-bf7e-93626ea06bce/#transactions (The two embeds still have the error 403)

This matches what I am seeing on my side, embeds not loading, 403 errors and the problem with it trying to download the embeds as files on iOS.

[TheAssassin]

The embeds work fine on three devices I used to quickly test them. Perhaps there's some geoblocking ongoing? I'm not sure...

[WinkelCode]

US: https://urlscan.io/result/d674c5d9-c11c-4cbd-89b2-b682e367f81d/#transactions

Japan: https://urlscan.io/result/d674c5d9-c11c-4cbd-89b2-b682e367f81d/#transactions

UK: https://urlscan.io/result/1c0282a0-f290-460d-a99c-41c8ab6bf0b4/#transactions

Germany: https://urlscan.io/result/b3d59b45-adab-44e5-bf7e-93626ea06bce/#transactions

Spain: https://urlscan.io/result/aff06caf-0c51-4c8e-ab92-a7d8fe154e2a/#transactions

All show the embeds failing with error 403.

Furthermore, https://www.browserling.com/browse/win/7/chrome/92/https%3A%2F%2Fappimage.org :

Definitely looks more like a "geo-whitelist" if it works for anyone.

[TropicSapling]

Went on the site today and I’m having the same issue with it prompting me to download files when I’m on my iPhone with Safari. When on my computer I don’t get any such prompts, but as described in this issue the embeds don’t work and I get 403 errors. Just wanted to confirm that this is still an issue that also affects others.

(I’m visiting the website from Sweden btw if that were to be related)

[probonopd]

Apparently that snopyta thing is limiting traffic. I think we should just go back to using YouTube for now, maybe using:

https://www.youtube-nocookie.com/embed/nzZ6Ikc7juw https://www.youtube-nocookie.com/embed/mVVP77jC8Fc

@TheAssassin wdyt?

[TheAssassin]

that snopyta thing is limiting traffic

It's not a "snopyta thing". This is just a public and very stable instance of Invidious.

Within the EU legislation, all these embeds would require consent from the user, since in any case, data is transferred to the provider. Using a significantly more privacy friendly alternative instead of YouTube is not a replacement for this legal challenge (which should be solved). But at least it is significantly better than embedding those YouTube links, and I'm sure people won't file complaints as easily as with direct YouTube embeds.

You might just pick another instance (https://docs.invidious.io/instances/) or use an alternative project like Piped. Alternatively, you really need to implement some kind of consent mechanism. A self-hosted Embetty instance might work for this purpose.

For the record, if JavaScript is not available, all the embeds should be disabled (something Embetty can do in combination with a <noscript> tag to inform the user).

[TheAssassin]

By the way, I've never seen any of these embeds fail, and I use a variety of hardened browsers on a variety of devices. Invidious instances occasionally fail (I'm sure the uptime is well above 99% for most of them, though). The embeds work fine for me (accessing from Germany using various browsers including Chromium, Firefox, Tor Browser):

I can only speculate about the reasons the embed doesn't work for some users. I don't think that the instance we use blocks users from certain countries, but then again, I cannot tell for sure either. If you want to go back to using YouTube directly (which I clearly am not a fan of, but then again, I use Privacy Redirect, and I can recommend this to everyone else...), though, you really have to set up a consent-first system then.