Privacy Enhanced and Safer iframes in ARVE 10.0

Inspired by this post, ARVE now features privacy/security enhanced iframes completely for free. To make this clear from this start, this does not make the visitor private to videos hosts, but it for sure makes tracking and data collecting harder for them. Your IP address and other Browser information will still be sent.

Just showing you the parts that enhance privacy/security here, not everything ARVE does for you, feel free it inspects HTML source with ARVE active.

<iframe
  credentialless
  referrerpolicy="no-referrer"
  sandbox="allow-scripts allow-same-origin ..."
  allow="accelerometer 'none'; ambient-light-sensor 'none'; ..."
  src="https://www.youtube-nocookie.com/embed/1234"
  ...
></iframe>
  • credentialless (MDN) loads videos in a blank disposable context, without access to the origin’s network, cookies, and storage data. Browser autofill or password manager functionality is unavailable.
  • referrerpolicy="no-referrer" prevents referer from being sent, websites use this to know where visitors are coming from. In this iframe context, it would send the site (your site) you are embedding the iframe on. This is set to ="strict-origin-when-cross-origin" for YouTube, Vimeo and Rumble by default and can be set for more hosts in the setting if needed. YouTube needs this for some (music?) videos. Vimeo and Rumble need it for domain restriction.
  • sandbox was used in ARVE already for a very long time. It can be used to deny things like forms, storage access and thus third-party cookies, top-navigation. ARVE customizes this based in on various factors and settings. For example because Vimeo has a feature that password protects videos. It asks in a for a password with a form, so forms are enabled for Vimeo and otherwise denied with most other things.
  • allow ARVE denies almost everything here, sets autoplay based settings etc. This comes in handy if a video host might try to force autoplay, denying autoplay this way prevents it on the browser level. Lets of these settings are not implemented in browsers yet. web-share, clipboard-write, picture-in-picture seem reasonable to allow, so ARVE allows them.
  • The use of www.youtube-nocookie.com was already an option for ARVE for a long time. In modern browsers that support sandbox this may as well be almost obsolete as cookies and other things can now be prevented on the browser level. This means that we do not have to rely on the good will of any video host to provide an option like this and actually obeying what they say they do. Because the browsers can now deny things client side. There is still a use case for encrypted media as that ARVE setting has to remove the sandbox as encrypted media does not seem to work with it. YouTube is generally not encrypted, but their default embeds code specifically allows it, so it is probably used for videos behind a paywall.

Overall, this enhances privacy and security. Embedding a video from some not very trustworthy video host this way that tries to use all kinds of techniques of harmful practices will be stopped in its tracks.

Something I have never written about what ARVE does, it purposefully downgrades Facebook embeds to an iframe embed that they call deprecated, but it still works to avoid the need to inject Facebook’s JavaScript into your page. ARVE exclusively works with iframes and never uses JavaScript from video hosts for embedding. So all the above thing are also applied to Facebook videos. (ARVE Pro uses iframe API JavaScript’s from YouTube and Vimeo for detecting when a video ends, pausing other videos when a new one is played).

If you wish to customize this further and not like the opinionated defaults in ARVE now, please let me know. I am unsure at these point if there would be any benefit of allowing sensors like accelerometer. YouTube’s default embed code includes it, but I do not know what YouTube uses it for.

Leave a Reply

Your email address will not be published. Required fields are marked *