mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-17 03:32:32 -06:00
46e4bc8579
ROOT CAUSE (hard evidence this time, from the response headers): the app sends Referrer-Policy: no-referrer globally (helmet default). A raw YouTube iframe then reaches youtube.com with NO Referer, so YouTube can't identify the embedding site and shows "Video player configuration error" (153). Confirmed by the three facts: the same /embed URL plays in a top-level tab (no embed check), plays in the device player (YT.Player loads iframe_api and validates via an ORIGIN postMessage handshake, which doesn't need Referer), and fails only as a raw iframe on a no-referrer page. The player's page is ALSO no-referrer, proving it's the embed method that saves it, not the headers. Fix: add referrerpolicy="strict-origin-when-cross-origin" to the preview iframe — overrides the page's no-referrer for just this element so YouTube receives our origin and validates the embed. Scoped (only the YouTube embed sends a referrer; only the origin, not the path), no JS API machinery needed for a passive preview, page-level no-referrer untouched. Supersedes the earlier enablejsapi/origin strip, which was inert (those params do nothing in a raw iframe with no IFrame API). Frontend-only; suite 149 green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| activity.js | ||
| admin-player-debug.js | ||
| admin.js | ||
| billing.js | ||
| content-library.js | ||
| dashboard.js | ||
| designer.js | ||
| device-detail.js | ||
| force-password-change.js | ||
| help.js | ||
| kiosk.js | ||
| layout-editor.js | ||
| login.js | ||
| no-workspace.js | ||
| onboarding.js | ||
| playlists.js | ||
| reports.js | ||
| schedule.js | ||
| settings.js | ||
| teams.js | ||
| video-wall.js | ||
| widgets.js | ||
| workspace-members.js | ||