Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Website] The "invidious (dot) snopyta (dot) org" embeds are broken (Error 403 - Forbidden) and are causing "suspicious" behavior. #1177

Open
WinkelCode opened this issue Feb 28, 2022 · 8 comments

Comments

@WinkelCode
Copy link

WinkelCode commented Feb 28, 2022

image

Relevant lines of code:
https://github.com/AppImage/AppImageKit/blob/website/index.jinja2#L336
https://github.com/AppImage/AppImageKit/blob/website/index.jinja2#L359

I tested it on my own machine and just in case using browserling.com and I think it's safe to assume the links are broken for everyone. Edit: Here is the urlscan.io result: https://urlscan.io/result/d674c5d9-c11c-4cbd-89b2-b682e367f81d/#transactions

The biggest issue is that on mobile (or at least on my iPad using Safari), the website immediately upon visiting, is prompting the user to download the two embeds as files, which seems incredibly suspicious.

I would suggest either replacing the embeds with something else, or at least removing them entirely for now.

Here are the "real" YouTube links:
https://www.youtube.com/watch?v=mVVP77jC8Fc
https://www.youtube.com/watch?v=nzZ6Ikc7juw

@probonopd
Copy link
Member

https://invidious.snopyta.org/embed/mVVP77jC8Fc and https://invidious.snopyta.org/embed/nzZ6Ikc7juw seem to play fine for me.

Maybe there was an intermittent issue?

@WinkelCode
Copy link
Author

WinkelCode commented Mar 1, 2022

The links, when visited directly, do seem to work, but the embeds are what's broken. Here is a urlscan result from just now: https://urlscan.io/result/b3d59b45-adab-44e5-bf7e-93626ea06bce/#transactions (The two embeds still have the error 403)

image

This matches what I am seeing on my side, embeds not loading, 403 errors and the problem with it trying to download the embeds as files on iOS.

@TheAssassin
Copy link
Member

The embeds work fine on three devices I used to quickly test them. Perhaps there's some geoblocking ongoing? I'm not sure...

@TropicSapling
Copy link

Went on the site today and I’m having the same issue with it prompting me to download files when I’m on my iPhone with Safari. When on my computer I don’t get any such prompts, but as described in this issue the embeds don’t work and I get 403 errors. Just wanted to confirm that this is still an issue that also affects others.

(I’m visiting the website from Sweden btw if that were to be related)

@probonopd
Copy link
Member

Apparently that snopyta thing is limiting traffic. I think we should just go back to using YouTube for now, maybe using:

https://www.youtube-nocookie.com/embed/nzZ6Ikc7juw
https://www.youtube-nocookie.com/embed/mVVP77jC8Fc

@TheAssassin wdyt?

@TheAssassin
Copy link
Member

that snopyta thing is limiting traffic

It's not a "snopyta thing". This is just a public and very stable instance of Invidious.

Within the EU legislation, all these embeds would require consent from the user, since in any case, data is transferred to the provider. Using a significantly more privacy friendly alternative instead of YouTube is not a replacement for this legal challenge (which should be solved). But at least it is significantly better than embedding those YouTube links, and I'm sure people won't file complaints as easily as with direct YouTube embeds.

You might just pick another instance (https://docs.invidious.io/instances/) or use an alternative project like Piped. Alternatively, you really need to implement some kind of consent mechanism. A self-hosted Embetty instance might work for this purpose.

For the record, if JavaScript is not available, all the embeds should be disabled (something Embetty can do in combination with a <noscript> tag to inform the user).

@TheAssassin
Copy link
Member

By the way, I've never seen any of these embeds fail, and I use a variety of hardened browsers on a variety of devices. Invidious instances occasionally fail (I'm sure the uptime is well above 99% for most of them, though). The embeds work fine for me (accessing from Germany using various browsers including Chromium, Firefox, Tor Browser):

screenshot_2022-06-21_01-28-46

I can only speculate about the reasons the embed doesn't work for some users. I don't think that the instance we use blocks users from certain countries, but then again, I cannot tell for sure either. If you want to go back to using YouTube directly (which I clearly am not a fan of, but then again, I use Privacy Redirect, and I can recommend this to everyone else...), though, you really have to set up a consent-first system then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants