Epic: Improve video embed behaviour

[stevejalim]

We support video embeds from Youtube and Vimeo right now, although no BB site is using them for the time being.

Vimeo uses only essential cookies and in theory we can use a no-cookie version of YouTube, but that will require custom work.

However, we should go further than that:

• We need to automatically swap to the youtube-nocookie.com when embedding a youtube.com URL - Create a no-cookie embed option for YouTube embeds #260
• When the page is rendered, for any third-party provider, it seems courteous to only load the embed after the user has expressly clicked to say they want to see it

If we want to extend support to other providers beyond YouTube and Vimeo, we will need to review how we can do that in a privacy-preserving way.

We could extend support to include:

• Facebook
• Instagram
• TikTok

However, we'll need to do this in a way that definitely doesn't conflict with our privacy policy. This'll need a bit of research and discussion. Hat-tip to @alexgibson for pointing this out.

Footnote: embeds from Meta companies now need an API key, which is another factor to weigh here.

[stevejalim]

@alexgibson Is there anything you'd like to add to this so far?

[alexgibson]

@alexgibson Is there anything you'd like to add to this so far?

Only that we should use caution when adding third party embeds, and consult with legal first if we have questions. These iframes can often come loaded with cookies which need to adhere to our privacy policy, and they are also potential third party trackers (e.g. person logged in to social media site X loads one of our pages that contains an embed from X, which tells X that the person has visited our site).

In bedrock we currently only really use YouTube embeds, but we load these using their www.youtube-nocookie.com domain, and also only initiate loading third parts assets after a visitor has expressed an action to indicate they want to watch a video.