Vimeo video and Content Security Policy problems – video not showing

When you like to increase the security of your website, you are at a better place if you add CSP. That is Content Security Policy and Referrer policy to your website. But problems can occur if you add a Video Player. Vimeo support helped me solve it.

Regardless if you use a WordPress plugin, like an excellent Redirection Plugin or any other plugin. Or if you simply grab a double espresso and write it right into the HTML Header code, be sure to check that the referrers and CSP are correct. Where humans dwell there is always room or tiny bits, small and huge problems lurking around.

Not only am I a full-time working artist, an illustrator. I am also just a guy who has my own little platform with self-made video online courses. And with all classes – using the Learnpress LMS plugin – I add videos hosted with Vimeo.

Something happened when I started adding Referrers and Content Security Policy to the site where I have my Embedded videos – from Vimeo. The password fields to view the videos were gone. And instead, my ”students” would see the container of a black frame and the text: ”

Sorry. Because of its privacy settings, this video cannot be played here. (click button) Learn More ”

After days of trying to find the problem – checking source files, googling and binging, Firefox dev tooling, and asking in WordPress org forums, VIMEO Support came to my rescue. Yay!

So, here is what you have to do if your issue is the same: Check the source file for a snippet of code. Remove it or replace it. Vimeo Support found that I had a snippet of code that was wrong and stopped the Vimeo embed from working: meta name=”referrer” content=”no-referrer”.

Remove that or replace it with: meta name=”referrer” content=”origin”.

And, I also found that one CSP snippet that messed up the layout of my online course website is style-src self. So when you write for yourself in a source file or via a plugin for WordPress, like Redirection, don’t use that one, for now, if you use Vimeo Embedd. Hope that will be fixed too. Because its a security whole of course.

I can´t stress enough how much I appreciate the VIMEO Support team for their excellent help. They took the time and found in my website source code what was wrong. And for that, I say thanks. Yes, I pay for a premium account, but some support people just go the extra mile to help out.

I also like to say thanks to the Redirection plugin developer for making an excellent plugin for Referrer and CSP amongst things.

Hope this helps you, too.

Ps.
Reference sites that also helped

• https://www.reflectiz.com/blog/8-best-content-security-policies/
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
• https://wordpress.org/support/plugin/redirection/

Stefan Lindblad
Artist, illustrator