scott2b
commented
3 years ago Accidental duplicate submit of #453
Closed scott2b closed 3 years ago
scott2b
commented
3 years ago Accidental duplicate submit of #453
YouTube embeds (possibly others?) trigger a large number of "Feature Policy" warnings that seem to stem from the feature allow list set on the video iframe embed.
Feature policies are tweakable via the Feature-Policy response header
The iframe itself comes from the YouTube iframe embed API which sets a number of "allows" including, among others: autoplay, accelerometer, clipboard-write.
Because we are not setting the Feature-Policy header on CDN content, there is then a resulting discontinuity between what the YouTube API is allowing and what the page response headers are allowing, resulting in these warnings. Since the warnings result in the browser erring on the side of safety, they are not especially problematic, but are indicative of potential features that might be unlocked. In particular we may want to support autoplay -- it is not clear if any of the other features might be useful.
At this time, the YouTube iframe embed API does not seem to support tweaking the allow list. Thus, the fix to this would be either to allow all of these features via Feature-Policy header, or to generate our own iframe code without the API.