Disable cookies when using the YouTube IFrame Player API script with the youtube-nocookie.com domain

Question

How can you disable cookies set on youtube.com when using the YouTube IFrame Player API with privacy-enhanced mode videos played from the www.youtube-nocookie.com domain?

In the "Turn on privacy-enhanced mode" section in https://support.google.com/youtube/answer/171780?hl=en, it recommends using the www.youtube-nocookie.com domain to:

embed YouTube videos without using cookies that track viewing behavior.

This works well and doesn't set cookies as expected.

However, we use the IFrame Player API (with enablejsapi=1 on the embed params) which does set cookies. We see the following cookies set on the .youtube.com domain:

• YSC
• VISITOR_INFO1_LIVE

These get set as HTTP cookies from the Iframe Player API script at https://www.youtube.com/iframe_api (open a Chrome incognito window and view that script URL directly and inspect the cookies and you'll see the 2 above cookies set). I'm unsure what these cookies are exactly, but they look suspiciously like tracking cookies.

So, the fact that these are set before a user interacts with the video or takes any consenting action, means we can't use the IFrame Player API whilst still being GDPR compliant when it comes to the EU cookie directive.

So the question is, how can we use the IFrame Player API without it setting cookies?

Note: I've posted this with the tag youtube-iframe-api in the hope that Google with answer this as:

We support the YouTube IFrame API on Stack Overflow. Google engineers monitor and answer questions with the youtube-iframe-api tag.

(from https://developers.google.com/youtube/players/support)

Answer 1

I had a similar issue and decided to try using this script instead. However, so far, it doesn't seem clear from their docs how to achieve this without any cookies. Simply replacing https://www.youtube.com/iframe_api with https://www.youtube-nocookie.com/iframe_api results in a 404 error.

Based on this, I tried the below. This code creates a video player programatically and sets https://www.youtube-nocookie.com as the host. It does load the video and if you inspect it, you can see that no cookies get created initially; but if you start to play the video, https://www.youtube-nocookie.com sets a cookie called NID. In terms of setting cookies, this is the same result as loading a video via an iframe using www.youtube.com.

<div id="js-player"></div>
<script src="https://www.youtube.com/player_api"></script>

window.onYouTubePlayerAPIReady = function() {
  new YT.Player(document.getElementById("js-player"), {
    height: '315',
    width: '560',
    host: 'https://www.youtube-nocookie.com',
    videoId: 'M7lc1UVf-VE'
  })
};

https://jsfiddle.net/c9Lbksx6/

So it appears that no matter what you do, you will end up with at least 1 cookie when using the YouTube player API with JavaScript controls. Unfortunately, there doesn't seem to be an ideal solution to this at the moment.