Privacy issue: Username exposed to embeded content
When YouTube videos or other content is embedded into GNUSocial usually the browser sends a
Referer header with the URL of the GNUSocial site to YouTube or other sites, which are embedded. Usually this would not be particularly bad, but in this case it is as the URL in GNUSocial includes the username of the user accessing the content.
Therefore YouTube can connect all videos watched from GNUSocial instances to the usernames of the GNUSocial users. This is not expected by users and endangers their privacy.
For example also DuckDuckGo noticed this problem and therefore warns the user before playing YouTube videos on the search results page for the same reason. There the user can decide whether to play the video in the embedded version or open it in a new tab. The setting is saved, so the user only has to decide this one time.
So here is what you might do:
- Similar to DuckDuckGo you could add a setting and a warning allowing users to choose whether to use embedded content or to view it in a new tab
- You could use Referrer Policy (as a HTML meta tag or HTTP header - the last thing is not yet supported by all browsers) to block all referrers. For a better compatibility it would also/additionally use the CSP referrer directive
I also discussed this issue on GNUSocial.