Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57608

Youtube js being required on every page and causing problems

XMLWordPrintable

    • MOODLE_32_STABLE, MOODLE_33_STABLE
    • MOODLE_32_STABLE
    • wip-MDL-57608-master-3
    • Hide
      1. go to site administration > plugins > media players; Enable videojs, go to it's settings and enable youtube support
      2. inspect network tab for any page, make sure there are no requests to youtube
      3. insert youtube video on some page
      4. make sure it is displayed in videojs player and it works
      5. enable filter urltolink before mediaplugin filter
      6. send somebody a message with a link to youtube video
      7. make sure the video is displayed in messaging ui
      8. through messaging popup open a message to another user, then switch to the conversation with youtube video (to make sure that html for the message is loaded in ajax and was not present on the original page)
      9. make sure the video is displayed in messaging ui
      Show
      go to site administration > plugins > media players; Enable videojs, go to it's settings and enable youtube support inspect network tab for any page, make sure there are no requests to youtube insert youtube video on some page make sure it is displayed in videojs player and it works enable filter urltolink before mediaplugin filter send somebody a message with a link to youtube video make sure the video is displayed in messaging ui through messaging popup open a message to another user, then switch to the conversation with youtube video (to make sure that html for the message is loaded in ajax and was not present on the original page) make sure the video is displayed in messaging ui

      Since MDL-38158 the youtube api is being required on every page and this is causing problems (sometimes even breaking javascript) in environments where youtube is blocked (common in schools). See https://moodle.org/mod/forum/discuss.php?d=345073 and related threads

      Some observations:

      • I haven't yet managed to reproduce the breaking javascript version, but i've only tried blocking it at the network level (where it gets a 404) ideally Moodle would handle that. But perhaps the problem is occuring where network filters are returning some content and don't giving a proper errorcode
      • People concerned about privacy do not like these requests being sent to youtube in every case, I assumed that this wouldn't actually be a case because the assert would be cached, but in fact it is not cacheable

        curl -k -I https://www.youtube.com/iframe_api
        HTTP/1.1 200 OK
        X-Content-Type-Options: nosniff
        Expires: Tue, 27 Apr 1971 19:44:06 EST
        Cache-Control: no-cache
        Content-Type: application/javascript
        Content-Length: 0
        X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
        Date: Tue, 10 Jan 2017 07:34:41 GMT
        Server: YouTubeFrontEnd
        Alt-Svc: quic=":443"; ma=2592000; v="35,34"
        

        So that is a very real problem that google is able to track every single moodle page load through referrer header

      Some thoughts on a fix:

      • Not only is it bad for privacy to load this asset on every page, it is bad for Moodle performance, on many(/most) Moodle pages, needing that youtube iframe api should be unnecessary so we should't generate a request there. Can we load this on basic content matching and load on demand?
      • I've sort of thought the same about the whole videojs bundle, its heavy and we add it to our first.js, can't we lazy load it [1]

      [1] I know videojs isn't comparing to some of our other bulky assets, but I can see a near-term future where Moodle client side is slim and yui free for non-editing pages, I'm not sure I agree videojs is required frequent enough to be required in first.js

            marina Marina Glancy
            poltawski Dan Poltawski
            Dan Poltawski Dan Poltawski
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Ankit Agarwal Ankit Agarwal
            Votes:
            6 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.