Thanks for the pointer in #55310 (comment) this was exactly it @JeanMeche Relaxing the embedder policy to
credentialless keeps the cross-origin isolation the editor needs while letting
the YouTube iframe load, and it fixes Safari on top of Chromium.

One gap remains: Firefox still blocks the embed, since it has no credentialless
iframe attribute and its credentialless policy only applies to subresources,
not nested frames. I have a facade-based fallback ready for that and will open it
as a follow-up once this lands so this header fix can land on its own.

What do you think of this approach? I know it's a bit ugly but better than firefox error screen. Happy to adjust if you'd rather handle it differently.

Firefox is sadly still the same.

Deployed adev-preview for f5ef068 to: https://ng-dev-previews-fw--pr-angular-angular-69205-adev-prev-3qr4dw1w.web.app

Note: As new commits are pushed to this pull request, this link is updated after the preview is rebuilt.

Deployed adev-preview for f5ef068 to: https://ng-dev-previews-fw--pr-angular-angular-69205-adev-prev-3qr4dw1w.web.app

Note: As new commits are pushed to this pull request, this link is updated after the preview is rebuilt.

The fix works on my machine :) but didn't make it to the preview link. I think it might just be a stale deploy: curl -sI <preview>/events/v22 still returns cross-origin-embedder-policy: require-corp, while the committed config at the PR head (f5ef068) already has credentialless in both adev/firebase.json and adev/angular.json. Previews seem to take their COEP header from firebase.json and only re-apply it on redeploy, and the last adev-preview-deploy looks like it ran against 255151a41 rather than this PR's head. So maybe the preview just needs a fresh deploy of the head to pick it up, wdyt?

It might be possible that the firebase config is not based on the content of the PR but from main directly (for security reasons), cc @josephperrott

Indeed.

This PR was merged into the repository. The changes were merged into the following branches:

• main: 86cd166
• 22.0.x: 4d24f46

Looks like this change didn't fix the issue. COEP is now credentialless but the iframe still doesn't load on firefox

Thanks for the pointer in #55310 (comment) this was exactly it @JeanMeche Relaxing the embedder policy to credentialless keeps the cross-origin isolation the editor needs while letting the YouTube iframe load, and it fixes Safari on top of Chromium.

One gap remains: Firefox still blocks the embed, since it has no credentialless iframe attribute and its credentialless policy only applies to subresources, not nested frames. I have a facade-based fallback ready for that and will open it as a follow-up once this lands so this header fix can land on its own.

What do you think of this approach? I know it's a bit ugly but better than firefox error screen. Happy to adjust if you'd rather handle it differently.

Screen.Recording.2026-06-06.at.11.27.41.mov
Firefox is sadly still the same.

Yeah, as I mentioned here there's nothing we can do to make the YouTube embed work in Firefox directly. The facade-based fallback can handle that (a bit ugly, but better than nothing), I can open it as a separate follow-up if we're agreed on the approach.

We can at least have a look at what you suggest :)