YoshiRulz
commented
1 month ago This is happening because, despite what Google's own documentation says, Cross-Origin-Embedder-Policy does require buy-in from third-parties just like CORS before it, at least for <iframe/>s.
The "intended" solution is for YouTube to set its header. Don't hold your breath.
There is a fix for Chrome—<iframe credentialless/> or maybe <iframe allow="cross-origin-isolated"/>—but to cover older Chrome and other browsers, we'll have to relax the COEP header to unsafe-none, which is the most lax. It's also the default, but I think the header should be set explicitly.
All YouTube embeds show "Blocked Page".
In firefox, the request is cancelled with a "NS_ERROR_DOM_COEP_FAILED" error, which means
Example: