Broken video attachments in Gmail
My sister often emails video attachments of my niece and nephew. Gmail provides a really sleek mechanism for viewing the attached videos without leaving the browser by playing them in an embedded YouTube player. However, at some point the YouTube player started presenting me with the following message: “An error occurred. Please try again later.” Let’s dig in.
Disabling third-party cookies in my browsers was the cause of this issue. Some browsers like Firefox have this disabled by default. To see if you’re video playback is broken for the same reason visit this page. If you see “Third party cookies appear to be disabled”, then read on for the solution.
Background: third-party cookies
When you log in to a website like Gmail you provide your email/password and in the background Gmail’s servers send you back a cookie containing a session ID (for example: NRviSpoYm7mdkYB4W2471l). Think about it like a student ID#. When you first enroll in a school you likely provide proof of identity like a birth certificate and in return you are given a student ID#. From this point forward you can just provide the school with your ID# if you want to enroll in a class or check your grades. Similarly, once you have a session ID the browser sends it each time you request to open a new email, so the server knows its you. You don’t need to provide the email/password each time. That’s convenient.
But there’s another way these cookies are used to track you around the internet. Once you log into Gmail, this session ID can be used to identify you across the web. Sometimes conveniently, for example when attempting to prove you have authorization to view a video attachment. At other times, secretly watching and reporting the urls you visit to Google. This is why services like Facebook and Twitter want you to remain logged in. Once you log out, you blow away your session ID and become anonymous (actually it’s much more complicated because more advanced tracking methods exist).
Setting your browser to block third-party cookies is another way to prevent tracking. It essentially says, only share my session ID with the website where I logged in and keep it secret when I visit other web pages. With third-party cookies blocked, your Gmail session ID would only be visible when your browser url points to: mail.google.com. So, do you have third-party cookie blocking enabled? Visit this page to see.
Disabling third-party cookies breaks video attachment preview
When you click to watch a video attachment in Gmail it overlays Gmail with an embedded YouTube player page. It’s makes sense for Google to re-use their YouTube player, however, the attachment is hosted in Gmail and if you read the Background section above you probably are starting to guess the issue: The embedded YouTube player page is not allowed to send your Gmail session ID when requesting the attachment and when it tries to load the video file it can’t prove it’s playing the video on your behalf. Gmail correctly rejects a request of this type because you don’t want strangers being able to watch your private videos.
In the diagram, the video player outlined in red is hosted on youtube.com server and the video player wants to play a video attachment hosted on mail.google.com. But because third-party cookies are disabled, the request for the attachment is not allowed to expose the session ID because the request is coming from a youtube.com page.
The fix: allow all websites to send your mail.google.com cookie
This will allow the embedded youtube.com player to prove it is playing the video on your behalf. Not an ideal solution because Google can now track you around the web. Ideally, Google should fix this issue by providing a different authentication mechanism that does not break when third-party cookies are disabled.
Save and reload your Gmail tab.
Save and reload your Gmail tab.
It just works. No changes needed. This is because Safari appears to have a bug in it. It correctly abstains from sharing third-party cookies, however, it shares them if the requested content is video. A privacy leak. I will be raising a bug with Webkit in a bit.