Troubleshooting YouTube Embed Issues (Error 153)

Table of Content

  1. Understanding Error 153
  2. How to Check for YouTube Embed Issues
    1. 1. Inspect HTTP Referrer-Policy
    2. 2. Check for X-Frame-Options Header
    3. 3. Review Content Security Policy (CSP)
    4. 4. Examine the YouTube Embed Code
  3. Common Solutions
    1. 1. Adjust Referrer-Policy
    2. 2. Update YouTube Embed Code
    3. 3. Configure Content Security Policy (CSP)
    4. 4. Check for Conflicting Plugins or Services

If you’re encountering “Error 153: Video player configuration error” when embedding YouTube videos on your WordPress site, especially when WP Security Ninja is active, it’s likely due to security policies interfering with how YouTube validates embed requests. This guide will help you identify and resolve common causes related to referrer policies and content security.

Understanding Error 153

YouTube’s embedded player requires specific information, primarily the HTTP Referer header, to validate requests and ensure proper functionality. Security measures, including those implemented by WP Security Ninja or other plugins/services, can sometimes inadvertently block or modify this information, leading to Error 153.

Back to Top

How to Check for YouTube Embed Issues

The primary way to diagnose Error 153 is by inspecting your website’s HTTP headers and the HTML of your embedded YouTube videos.

Back to Top

1. Inspect HTTP Referrer-Policy

The Referrer-Policy HTTP header dictates what referrer information is sent with requests. An overly strict policy can prevent YouTube from validating the embed.

Steps to check:

  1. Open the page on your website where the YouTube video is displaying Error 153 in your web browser (e.g., Chrome, Firefox).
  2. Right-click anywhere on the page and select “Inspect” (or “Inspect Element”).
  3. Go to the “Network” tab in the developer tools.
  4. Refresh the page.
  5. Click on the main HTML document request (usually the first item, with your domain name).
  6. In the right-hand panel, look for the “Headers” tab.
  7. Scroll down to “Response Headers” and look for Referrer-Policy.

What to look for:

  • Problematic: If Referrer-Policy is set to no-referrer or same-origin, it’s likely causing the issue.
  • Recommended: YouTube recommends strict-origin-when-cross-origin. This policy sends the full URL as a referrer for same-origin requests and only the origin for cross-origin requests, which is generally sufficient for YouTube.
Back to Top

2. Check for X-Frame-Options Header

The X-Frame-Options header prevents your site from being embedded in iframes. While useful for security, if it’s applied to pages containing YouTube embeds, it can sometimes interfere.

Steps to check:

  1. Follow steps 1-6 from “Inspect HTTP Referrer-Policy” above.
  2. In the “Response Headers” section, look for X-Frame-Options.

What to look for:

  • Problematic: If X-Frame-Options is set to DENY or SAMEORIGIN on pages where you embed YouTube videos, it might be contributing to the problem.
  • Recommendation: Ideally, this header should not be present or should be configured carefully on pages with third-party iframes.
Back to Top

3. Review Content Security Policy (CSP)

If you have a Content Security Policy (CSP) enabled (either via WP Security Ninja or another method), it might be blocking YouTube’s resources.

Steps to check:

  1. Follow steps 1-6 from “Inspect HTTP Referrer-Policy” above.
  2. In the “Response Headers” section, look for Content-Security-Policy.
  3. Examine the directives, specifically frame-src, child-src, and potentially script-src and img-src.

What to look for:

  • Problematic: If YouTube domains are not explicitly allowed in frame-src or child-src, the embeds will be blocked.
  • Recommendation: Ensure your CSP includes the following for YouTube embeds:
    • frame-src: https://www.youtube.com https://www.youtube-nocookie.com https://*.youtube.com https://*.ytimg.com
    • child-src: https://www.youtube.com https://www.youtube-nocookie.com https://*.youtube.com https://*.ytimg.com
    • (If using YouTube IFrame API) script-src: https://www.youtube.com https://*.ytimg.com
    • (For thumbnails/images) img-src: https://i.ytimg.com https://*.ytimg.com
Back to Top

4. Examine the YouTube Embed Code

Sometimes, the embed code itself might be missing the necessary referrerpolicy attribute.

Steps to check:

  1. On the page with the embedded video, right-click on the video player area and select “Inspect”.
  2. Locate the <iframe> tag for the YouTube video.

What to look for:

  • Missing attribute: Check if the <iframe> tag has a referrerpolicy attribute.
  • Recommendation: Ensure the <iframe> includes referrerpolicy="strict-origin-when-cross-origin". 
    <iframe
  src="https://www.youtube.com/embed/VIDEO_ID"
  referrerpolicy="strict-origin-when-cross-origin"
  allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; fullscreen"
  allowfullscreen
  loading="lazy"
  width="560" height="315">
</iframe>
Back to Top

Common Solutions

Based on your findings from the checks above, here are common solutions:

Back to Top

1. Adjust Referrer-Policy

  • Via WP Security Ninja: If WP Security Ninja has a setting for Referrer-Policy, ensure it’s set to strict-origin-when-cross-origin or a less restrictive option that allows cross-origin referrers.
  • Via .htaccess (Apache): Add or modify your .htaccess file (located in your WordPress root directory) to include: 
    <IfModule mod_headers.c>
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
  • Via Nginx: Add or modify your Nginx configuration: 
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  • Via HTML Meta Tag: As a less precise but sometimes effective solution, you can add this to your site’s <head> section: 
    <meta name="referrer" content="strict-origin-when-cross-origin" />
Back to Top

2. Update YouTube Embed Code

  • Add referrerpolicy attribute: Manually add referrerpolicy="strict-origin-when-cross-origin" to your YouTube <iframe> tags.
  • Use youtube-nocookie.com: Replace www.youtube.com/embed/ with www.youtube-nocookie.com/embed/ in your iframe src attribute. This privacy-enhanced domain often resolves referrer-related issues.
Back to Top

3. Configure Content Security Policy (CSP)

If you are using CSP, ensure that YouTube domains are whitelisted in the frame-src and child-src directives. Adjust your CSP settings within WP Security Ninja or your custom configuration to include the recommended domains mentioned in “Review Content Security Policy (CSP)” above.

Back to Top

4. Check for Conflicting Plugins or Services

Temporarily disable other security plugins, caching plugins, or CDN/WAF services (like Cloudflare) one by one to isolate if another service is overriding your header settings or interfering with the embeds. If disabling one resolves the issue, you’ll need to configure that service to allow YouTube embeds.

By systematically checking these areas, you should be able to pinpoint and resolve the cause of Error 153 on your embedded YouTube videos.

Back to Top

Was this helpful?

Next Article

Re-install WordPress