Closed Masterjun3 closed 1 month ago
This is happening because, despite what Google's own documentation says, Cross-Origin-Embedder-Policy
does require buy-in from third-parties just like CORS before it, at least for <iframe/>
s.
The "intended" solution is for YouTube to set its header. Don't hold your breath.
There is a fix for Chrome—<iframe credentialless/>
or maybe <iframe allow="cross-origin-isolated"/>
—but to cover older Chrome and other browsers, we'll have to relax the COEP header to unsafe-none
, which is the most lax. It's also the default, but I think the header should be set explicitly.
All YouTube embeds show "Blocked Page".
In firefox, the request is cancelled with a "NS_ERROR_DOM_COEP_FAILED" error, which means
Example: