[Drupal] Preventing cookies from embedded video

Hopkins-Lutz, Richard hopkins-lutz.1 at osu.edu
Fri Mar 19 10:57:21 EDT 2021 

Jason,

Yes, this would definitely deny cookies for purposes of the algorithm for that person, though back-end views and hits would still be registered I believe, since those are not tracked by cookie, but by server traffic. This could be somewhat significant given a high-traffic site, but I agree it's probably overall not something to worry about.

The reason for implementing this was to allow for embedded videos to display while maintaining GDPR compliance, without having to rely on the OneTrust JS to do its thing. This is because OneTrust has you move your actual iframe source URL into a 'data-src' tag and put a fallback message in for the 'src', making the default behavior the fallback message, then uses JS to "fix" the iframe. This means if you have a JS failure or (as in my case) your ad-blocker blocks OneTrust's JS from loading, then you cannot view the video at all, which is a sub-optimal experience, and effectively punishes people for using privacy software. It also meant that there was a brief moment of teh fallback displaying before the JS hit, which would also end up being the behavior when the banner would come up before they accepted cookies.

This was a solution that keeps us GDPR compliant, maintains visitor privacy, and still allows the videos to be shown.

[The Ohio State University]
Richard Hopkins-Lutz
Web Services Manager
College of Engineering Engineering Technology Services
hopkins-lutz.1 at osu.edu<mailto:hopkins-lutz.1 at osu.edu> osu.edu<http://osu.edu/>
He/Him/His/Mr.
________________________________
From: Little, Jason P. <little.129 at osu.edu>
Sent: Friday, March 19, 2021 10:47 AM
To: Hopkins-Lutz, Richard <hopkins-lutz.1 at osu.edu>; Drupal users list <drupal at lists.osu.edu>
Subject: Re: Preventing cookies from embedded video


Nice. This is cool.



One thought. If you do this, I believe it prevents the embedded videos from being used in personalization algorithms for the user on youtube.com.



So you’ll likely be giving the user more privacy at the expense of some small portion of your YouTube channel reach.



As third party cookies slowly get phased out by browsers, the point may become moot anyway. Also, I think it’s questionable how much of a boost in reach having these cookies on would deliver since subject is probably at least as important as channel in personalization and the university has a somewhat fragmented channel strategy to begin with.



Best,

Jason



From: Drupal <drupal-bounces at lists.osu.edu> on behalf of Hopkins-Lutz, Richard via Drupal <drupal at lists.osu.edu>
Date: Thursday, March 18, 2021 at 7:58 AM
To: drupal at lists.osu.edu <drupal at lists.osu.edu>
Subject: [Drupal] Preventing cookies from embedded video

Hey Drupal folks.



Working with Ken Phillips on GDPR/Privacy compliance, I crafted some code for Drupal 8 for preventing cookies from Youtube and Vimeo, and figured I would share it.



This is for Drupal 8, using its core oEmbed system, and should be universal if you use those:



use Drupal\media\IFrameMarkup;

use Drupal\media\OEmbed\Provider;



/**

 * Implements hook_oembed_resource_url_alter().

 */

function mymodule_oembed_resource_url_alter(array &$parsed_url, Provider $provider)

{

  // Add Do Not Track flag to Vimeo oEmbed requests

  if ($provider->getName() === 'Vimeo') {

    $parsed_url['query']['dnt'] = true;

  }

}



/**

 * Implements hook_preprocess_HOOK().

 */

function mymodule_preprocess_media_oembed_iframe(&$variables)

{

  // Pull iframe tag

  $iFrame = $variables['media']->__toString();

  // Switch domain to the youtube nocookie domain.

  if (stripos($iFrame, 'youtube.com') !== false){

    $newFrame = str_replace('youtube.com/', 'youtube-nocookie.com/', $iFrame);

    $variables['media'] = IFrameMarkup::create($newFrame);

  }

}

Hope this helps a few of you.



[The Ohio State University]
Richard Hopkins-Lutz
Web Services Manager
College of Engineering Engineering Technology Services
hopkins-lutz.1 at osu.edu<mailto:hopkins-lutz.1 at osu.edu> osu.edu<http://osu.edu/>
He/Him/His/Mr.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/drupal/attachments/20210319/378ed6ab/attachment-0001.html>

More information about the Drupal mailing list