Support Youtube's privacy enhanced mode

[olafgrabienski]

Youtube's Privacy Enhanced Mode allows to embed videos "without using cookies that track viewing behavior" (cf. Embed videos & playlists), using the domain youtube-nocookie.com.

The privacy enhanced mode helps to follow the General Data Protection Regulation of the EU. I suggest to add a privacy option in the Filter settings on admin/config/content/formats/MY-FORMAT and to adapt the codecs file accordingly.

[olafgrabienski]

As an example: the Backdrop Youtube module supports privacy enhanced mode. Here's a screenshot of the settings page:

[olafgrabienski]

I don't have the skills to suggest code for the Filter settings and a respective conditional in the codecs file. I was however able to 'enable' privacy enhanced mode changing video_filter.codecs.inc.

(a) Additional line in $codecs['youtube'] = array( ... 'regexp' => array(:

'/youtube-nocookie\.com\/embed\/([a-z0-9\-_]+)/i',

(b) Changed line in function video_filter_youtube_html5($video) {

old: $video['source'] = '//www.youtube.com/embed/' . $video['codec']['matches'][1] . '?' . implode('&', $attributes);:

new: $video['source'] = '//www.youtube-nocookie.com/embed/' . $video['codec']['matches'][1] . '?' . implode('&', $attributes);

[herbdool]

@olafgrabienski does the D7 version of this module support the privacy setting?

[olafgrabienski]

@herbdool No, so far not (checked version 7.x-3.4 on simplytest.me).

I've also had a look at the issue queue of the Drupal module and found the related issue Youtube: Support for youtube-nocookie.com domain which has a patch.

The patch seems to use a different approach without setting (embed nocookie domain if people paste that domain instead of the standard ones). A reasonable approach but I'd prefer a setting because it's quite complicated to copy the nocookie domain URL on Youtube. Also, a setting would be more consistent with the Backdrop Youtube field module.

[herbdool]

@olafgrabienski you can test https://github.com/backdrop-contrib/video_filter/pull/11

[herbdool]

@olafgrabienski easiest was to just embed the regular url. I didn't want people to expect that if they used the no-cookie domain that it would be embedded that way. It only sets it as no cookies if the filter setting is enabled.

[herbdool]

@olafgrabienski I figured something out. You can also paste nocookie domain and it'll display the private version even if the setting isn't enabled.

Plus I think I enabled it for Vimeo as well.

[olafgrabienski]

@herbdool Thanks a lot! I've tested #11, and it works really good:

When the privacy-enhanced mode is enabled in the Text format settings (default),

• Youtube videos use the youtube-nocookie.com domain
• Vimeo videos use the URL parameter dnt=1 (equivalent to Do not track browser setting)

When the privacy-enhanced mode is disabled, Youtube videos use however the youtube-nocookie.com domain if the editor provides the respective URL. Great!

(The latter isn't the case for Vimeo. With disabled privacy-enhanced mode, Vimeo doesn't seem to use the dnt paramater, even if provided by the editor.)

[herbdool]

Thanks @olafgrabienski. I've fixed Vimeo.

Do you think privacy setting should be enabled by default? Are there any drawbacks to the functionality of the videos?

If you know how any other service complies with GDPR can you send details and I can try to add them.

[olafgrabienski]

Do you think privacy setting should be enabled by default?

Hm, not sure. In my opinion, privacy be default is a good thing. Don't know of any drawbacks but I'm not an expert. Another thought: If privacy is enabled by default there is a good chance to be noticed of functionality drawbacks by people who use the module.

[olafgrabienski]

And thanks for fixing Vimeo. (I've no time to test it at the moment.)

I'm not aware of GDPR settings for the other services because I don't use them. When I find time, I can have a look at some of them.

[olafgrabienski]

@herbdool I've downloaded the 1.x-3.x branch and can confirm that Vimeo is fixed: With disabled privacy-enhanced mode but dnt parameter provided by the editor, Vimeo uses the dnt parameter.

(I think that the fix only worked after I and switched the privacy setting. It was disabled, then I've enabled and disabled it, and it worked.)

Given my confirmation, do you plan to make a new release, or do you prefer to wait for some reason?

[opi]

Thanks for pushing forward a privacy-by-default setting !

[herbdool]

I've created a release. Probably just forgot before.