And a bit of an explanation for the less technically inclined. When you embed something on your website that uses a resource on another website, e.g. an image hosted on another server or a video hosted on another server (YouTube in this case), your browser may send a HTTP header to that server that has information about what your website is, e.g. the web address of the page that contains the embedded resource. This can be used by YouTube to track what websites link to a video and thus create analytics for the video owner. It's with a good, or let's say OK-ish, intent. Which is why they require that you send Referrer header for some videos (I guess commercial ones), or otherwise will not show the video. However this mechanism can be dangerous and can compromise security. For instance, if you embed a YouTube video on an online banking website and if the developers of that website are stupid enough to use URL query parameters, it can lead to your passwords being sent to YouTube 🙂 This is why there's a policy the websites use that determines when and what information is sent in the Referrer header to other websites. By default Flarum used
same-origin which basically means no such headers are sent. Only cross-links to our own forum (e.g. a link from one discussion to another discussion) would be sent, i.e the information stays within PianoClack.
Now, by changing it to
strict-origin-when-cross-origin, the Referrer headers will be sent to other websites too, but in that case only the "origin" will be sent, in our case this is the domain "pianoclack.com". However, the actual path (the discussion URL) or query parameters won't be sent. Thus, YouTube will know that PianoClack embeds a certain video but that's about it, they won't know which discussion, etc. Well, they will scan our website and will understand but at least this prevents malicious websites from gathering more information.