From 46e4bc857935e1634ad7c3c8500faf21a00426cd Mon Sep 17 00:00:00 2001 From: ScreenTinker Date: Sun, 14 Jun 2026 20:12:57 -0500 Subject: [PATCH] =?UTF-8?q?fix(content):=20YouTube=20preview=20153=20?= =?UTF-8?q?=E2=80=94=20give=20the=20iframe=20a=20referrer=20(page=20is=20n?= =?UTF-8?q?o-referrer)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ROOT CAUSE (hard evidence this time, from the response headers): the app sends Referrer-Policy: no-referrer globally (helmet default). A raw YouTube iframe then reaches youtube.com with NO Referer, so YouTube can't identify the embedding site and shows "Video player configuration error" (153). Confirmed by the three facts: the same /embed URL plays in a top-level tab (no embed check), plays in the device player (YT.Player loads iframe_api and validates via an ORIGIN postMessage handshake, which doesn't need Referer), and fails only as a raw iframe on a no-referrer page. The player's page is ALSO no-referrer, proving it's the embed method that saves it, not the headers. Fix: add referrerpolicy="strict-origin-when-cross-origin" to the preview iframe — overrides the page's no-referrer for just this element so YouTube receives our origin and validates the embed. Scoped (only the YouTube embed sends a referrer; only the origin, not the path), no JS API machinery needed for a passive preview, page-level no-referrer untouched. Supersedes the earlier enablejsapi/origin strip, which was inert (those params do nothing in a raw iframe with no IFrame API). Frontend-only; suite 149 green. Co-Authored-By: Claude Opus 4.8 (1M context) --- frontend/js/views/content-library.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/js/views/content-library.js b/frontend/js/views/content-library.js index 2ae201f..1804c90 100644 --- a/frontend/js/views/content-library.js +++ b/frontend/js/views/content-library.js @@ -635,7 +635,7 @@ function showPreview(content) {
${isYoutube - ? `` + ? `` : isVideo ? `` : ``