Youtube video embedding harm reduction

Embedding external content on a website in the current enshittocene period is
more annoying than ever, so here is a copy-pasteable snippet to embed a youtube
video while reducing its tracking and nuisance capabilities as much as possible:

<iframe
    credentialless
    allowfullscreen
    referrerpolicy="no-referrer"
    sandbox="allow-scripts allow-same-origin"
    allow="accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; browsing-topics 'none'; camera 'none'; display-capture 'none'; domain-agent 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport ''; gamepad 'none'; geolocation 'none'; gyroscope 'none'; hid 'none'; identity-credentials-get 'none'; idle-detection 'none'; local-fonts 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; otp-credentials 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-create 'none'; publickey-credentials-get 'none'; screen-wake-lock 'none'; serial 'none'; speaker-selection 'none'; usb 'none'; window-management 'none'; xr-spatial-tracking 'none'",
    csp="sandbox allow-scripts allow-same-origin;"
    width="560"
    height="315"
    src="https://www.youtube-nocookie.com/embed/jfKfPfyJRdk"
    title="lofi hip hop radio 📚 - beats to relax/study to"
    frameborder="0"
>iframe>
  • credentialless to load youtube in a blank disposable context,
    without access to the origin’s network, cookies, and storage data.
  • allowfullscreen because some people like it
  • referrerpolicy set to not leak your referer
  • sandbox to only allow javascript execution and SOP. Downloads, forms,
    modals, screen orientation, pointer lock, popups, presentation session,
    storage access and thus third-party cookies,
    top-navigation, … are all denied.
  • allow with every single directives
    set to “absolutely-fucking-not”, and yes, they have to be all set one by one,
    because there is no deny-all in the spec. No doubt
    this spec was designed with end-users’ privacy and security in mind.
  • src set to www.youtube-nocookie.com instead of youtube.com. Both
    are official Google urls, but the former doesn’t do tracking via cookies,
    and disables API and interaction and interaction logging. Amusingly, it’s
    the player used on whitehouse.gov.
  • csp set to sandbox allow-scripts allow-same-origin; for compatibility’s
    sake, just in case.
    I’d love to use a more restrictive policy, but the spec doesn’t allow to
    provide one, except if the embedded website explicitly allows it, and of
    course youtube doesn’t.

Don’t forget to put a title for accessibility’s sake.