Safe S̶e̶x̶ Browsing
Anyway …
You see all those numbers … those are all the things Youtube wants to load into your browser from each of the listed sources …
One cookie from www.youtube.com specifically … another ten from <somewhere>.youtube.com.
Two stylesheets from www.youtube.com … another two from fonts.gstatic.com.
Thirteen objects from unspecified external sources that redirector.google.com will load.
Twenty unspecified ‘other’ things from www.google.com.
And all the other things I’m not going to bore us with by listing them here — just look at the image and add the numbers up, if you’re that determined to know the exact total.
You see the twenty-three objects highlighted in green for r- -sn-8pgbpohxqp5-aigd.googlevid … that’s all you actually need to load in order to watch the video.
The precise details vary from video to video, but at least nine times in ten, it’s the ones for <something>5-aigd.googlevid that you need and nothing else.
Occasionally you might have to authorise manifest.googlevideo.com and/or redirector.google.com before you can authorise the right one but you can unauthorise them again afterwards and reload the video to clear them, leaving only what you need behind.
And sometimes, as I said, there isn’t a 5-aigd.googlevid and you have to try something else by a process of trial and error … (usually one of the others from the same section with a higher number of objects to load than the others, like <something>5-aig6.googlevid or similar)… but, after a while and with a bit of experience you tend to be able to correctly intuit which are the one or two most likely candidates — I tend to try the <something>.googlevid ones first.
Why is this significant?
Well, of the 146 objects Youtube wants to load into your browser, an absolute maximum of 23 are necessary — meaning a minimum of 84% of the items coming with it serve you no purpose whatsover if all you want to do is watch the video.
84% (123 objects) are there for someone else’s benefit, not yours.
I wonder what benefit they get from them … because they don’t display the video or let me control it in any way — that’s what at least some of the other 23 do.
Those 23 also appear to enable the autoplay feature … because it still works if you don’t load anything else — although you might have to take a look at authorising the necessary objects for the next video again.
Why is this significant?
Well, quite apart from it saving you time and computing resources by not loading all the unnecessary stuff, a lot of those objects are used to track and/or identify you — cookies, obviously, but also fonts in particular … scripts too … stylesheets … objects from other sites (XHR) … and what exactly are those twenty ‘other’ things (what do they do exactly)?
And those fifty-eight XHR objects are ‘cross-hosted’ … meaning they come from unnamed external sites … not youtube.com. Where do they come from? Who owns them? What else do they reach out to that resides on those … or even yet other … sites and does stuff in the background about which we have no knowledge?
At most twenty-three of them are necessary to watch the video … so what are the other thirty-five doing exactly … and why?
Does even Youtube know?
It’s doubtful … most of the uploading process is automated and so long as none of the loaded objects is a direct threat it won’t trip any alarms on Youtube and the stuff in the background can gather whatever data it likes and do whatever it wants with it — even load other objects of which Youtube itself has no knowledge whatsoever and won’t detect for you.
You might want to give some thought to making use of privacy and security plugins/addons/extensions in your browser.
If nothing else, they’ll save you the unnecessary 84% of the page overhead, save your computing resources and make the page load quicker too.
And they might even protect you from some dubious stuff that your antivirus/antimalware and firewall solutions aren’t designed to protect you from either.
[UPDATE]
So then, when it became available again, I added NoScript, because 23 unidentified XHR objects that seemingly do an awful lot more than I anticipated is a bit concerning — NoScript might identify them for me once they make it to the browser and I can be even choosier about what I authorise.
And what I discovered was that there's an awful lot of youtube.com functionality hidden behind those 23 objects. If I go to youtube.com with just uMatrix, I see an awful lot of stuff load into my browser to give me a basic outline of the site. With NoScript running as well, I see virtually nothing at all and until I authorise the youtube.com and ytimg.com scripts in NoScript and scripts from s.ytimg.com in uMatrix that's how it will remain.
So those 23 XHR objects seem to include scripts as well as video and other (control) elements — which, of course, isn't declared explicitly in uMatrix because it just lists them as XHR objects.
N.B. NoScript loads scripts into the browser, they're just not allowed to run. So the fact that they get loaded can still allow tracking to happen ¹. If you want to prevent them from getting loaded in the first place, you need uMatrix — which blocks them at the domain.
—
¹ The Decentraleyes browser addon/extension is worth a look, if you want to limit this further. A ‘canvas’ blocking addon/extension is also advisable.
