-
Bug
-
Resolution: Fixed
-
Major
-
3.2, 3.3
-
MOODLE_32_STABLE, MOODLE_33_STABLE
-
MOODLE_32_STABLE
-
wip-
MDL-57608-master-3 -
Since MDL-38158 the youtube api is being required on every page and this is causing problems (sometimes even breaking javascript) in environments where youtube is blocked (common in schools). See https://moodle.org/mod/forum/discuss.php?d=345073 and related threads
Some observations:
- I haven't yet managed to reproduce the breaking javascript version, but i've only tried blocking it at the network level (where it gets a 404) ideally Moodle would handle that. But perhaps the problem is occuring where network filters are returning some content and don't giving a proper errorcode
- People concerned about privacy do not like these requests being sent to youtube in every case, I assumed that this wouldn't actually be a case because the assert would be cached, but in fact it is not cacheable
curl -k -I https://www.youtube.com/iframe_api
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: application/javascript
Content-Length: 0
X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
Date: Tue, 10 Jan 2017 07:34:41 GMT
Server: YouTubeFrontEnd
Alt-Svc: quic=":443"; ma=2592000; v="35,34"
So that is a very real problem that google is able to track every single moodle page load through referrer header
Some thoughts on a fix:
- Not only is it bad for privacy to load this asset on every page, it is bad for Moodle performance, on many(/most) Moodle pages, needing that youtube iframe api should be unnecessary so we should't generate a request there. Can we load this on basic content matching and load on demand?
- I've sort of thought the same about the whole videojs bundle, its heavy and we add it to our first.js, can't we lazy load it [1]
[1] I know videojs isn't comparing to some of our other bulky assets, but I can see a near-term future where Moodle client side is slim and yui free for non-editing pages, I'm not sure I agree videojs is required frequent enough to be required in first.js
- has been marked as being related by
-
MDL-57316 If filter_mediaplugins is disabled, video.js is not working in resources
- Closed
- is a regression caused by
-
MDL-57101 Embeded youtube videos do not work correctly in ajax messaging interface
- Closed
- Testing discovered
-
MDL-57683 Failed to execute ‘postMessage’ on ‘DOMWindow’ (harmless error) on messaging
- Closed