YouTube Content Security Policy

I couldn’t find the Content Security Policy (CSP) requirements for YouTube videos posted anywhere so threw together my own after some trial and error.

The below requirements are for the cookieless embed version of YouTube hosted on www.youtube-nocookie.com. This version can be accessed by choosing the Enable privacy-enhanced mode when viewing the embed menu.

Required policies:

  1. frame-src: www.youtube-nocookie.com
  2. img-src: i.ytimg.com

frame-src is used to embed the actual video and the img-src is used for images that are loaded when the video is paused displaying other recommended videos.

Photo by Szabo Viktor on Unsplash.