Youtube Video on landing page blocked by CSP

Summary

To protect us from inline script injection, have introduced CSP rules that are respected by the browser. As a result, the browser may only open content that is shared by us.

On the CSP whitelist are currently:

• https://sentry.io
• https://photon.komoot.de
• https://search.mapzen.com

Steps to reproduce

• Visit landing page
• Click on the offered video

What is the current bug behavior?

Thus, the Youtube video on the home page https://foodsharing.de not be displayed.

What is the expected correct behavior?

Should be shown

Relevant error messages and/or screenshots

Technical data from Sentry:

• Blocked 'frame-src' from 'www.youtube-nocookie.com'
• https://foodsharing.de/
• For 8 months
• 200-400 events per day
• https://sentry.io/organizations/foodsharing-ev/issues/904373747/?project=1400919&query=is%3Aresolved

Possible fixes

The following options could be available:

1. Whitelist Youtube via the CSP rules
2. Load the video into our server. Traffic? Video is only loaded if it is also clicked.
3. Video is not embedded, but only opened a new tab in Youtube.