Parent controls compliance is broken by YouTube links on makecode.microbit site in WebView

[jackr1w]

When installing this on phones of kids under 13, they receive a fully functional non-logged-in YouTube window with search option and everything, bypassing all their parental controls, by opening any YouTube link from makecode.microbit.org homepage - any of the video tutorials.

To Reproduce

1. Open the app, select "Create Code". MakeCode window opens.
2. Open any tutorial with video, click on a video link.
3. Observe YouTube running inside WebView, non-logged-in, with "search" icon that allows looking for anything, and check the credentials - YouTube presents a "Log In" prompt, meaning that it's running without credentials (expected in WebView).
4. On Google Family Link, observe micro:bit as the only running app, so all the YouTube will be accounted on it, and if it's not limited - it would mean unlimited YouTube for the kid.

Expected behavior

• I would expect my kid to know self-control, but looks like it's an unreasonable expectation from 9-year-old that is smart enough to learn to program. So for another 3-4 years, I guess external controls would have to do. There can be a few technical solutions:
• Easiest and quickest - in WebView, recognize the clicked links to YouTube and forward them externally with corresponding intent, so they are received by YouTube and subject to the relevant parent controls.
• More complex - instead of allowing YouTube video/playlist links to work directly in WebView, wrap them with IFrame Player API layer (and probably open in a different WebView), to prevent YouTube interface from being accessible directly. This might still have an issue of "suggested videos" showing at the end, so you would need one of the following solutions to either limit them to the same channel or disable them by stopping the video: @ https://stackoverflow.com/questions/13418028/youtube-javascript-api-disable-related-videos
• More complex - adding a parenting control, protected with something that guarantees adult access, to control the behavior between embedded and forwarded YouTube, and default to forwarded.

Screenshots/Recordings

• No need, I believe, the reproduction explanation should be very clear

micro:bit version

• Not hardware related

Device

• Not applicable, same behavior on all devices

Additional context I'll try to implement the simplest - detecting the YouTube links and sending them out to YouTube app by intents - myself, just not sure I would be able to submit it as my dev env is not too functional.

[jackr1w]

Simplest solution (might have corner cases, didn't run into them yet, though YouTube on my dev phone is opened without controls - might be a side effect of whatever, since I've tried it from anywhere else in the app and the result was the same, will test it on my son's phone later and see):

[martinwork]

Thanks @jackr1w. I have flagged this up for the Android app team.

[microbit-matt-hillsdon]

@jackr1w, please can you try this again after updating in the Play Store and let us know whether this now works for you in the latest release? We use essentially your approach for all URLs that don't belong in our Web View.

[jackr1w]

Sorry for the delay. Thank you very much, finally got to check the new version, works as expected. I'll update it on my son's phone now, replacing my custom compiled branch with the official release. Thanks again!

On Thu, Aug 29, 2024, 16:24 Matt Hillsdon @.***> wrote:

@jackr1w https://github.com/jackr1w, please can you try this again after updating in the Play Store and let us know whether this now works for you in the latest release? We use essentially your approach for all URLs that don't belong in our Web View.

— Reply to this email directly, view it on GitHub https://github.com/microbit-foundation/microbit-android/issues/71#issuecomment-2317651121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO5WAPFUHN2SL7QRCCFQLPLZT4OJJAVCNFSM6AAAAABJMMGQTKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJXGY2TCMJSGE . You are receiving this because you were mentioned.Message ID: @.***>