Spotify embed not working because 3rd party cookies are blocked

[arsinclair]

Description

So because Brave blocks cross origin cookies by default, Spotify embed isn't able to get the authentication status and therefore only allows the playback for 30 seconds per song. In some cases it doesn't play at all.

It can be easily reproduced with the test embed here (scroll to Preview section): https://developer.spotify.com/documentation/widgets/generate/embed

If we turn Brave shields off (or turn on 3rd party cookies) it starts playing.

Of course, to test it we have to be authenticated at https://open.spotify.com beforehand.

Steps to Reproduce

1. Authenticate with Spotify here https://open.spotify.com (must be a Premium account)
2. Go to https://developer.spotify.com/documentation/widgets/generate/embed and try to play music in the demo embed. It will either play for 30 seconds or not play at all
3. Go to Brave Shields popup and change Cross-site cookies blocked to All cookies allowed.
4. Refresh the page and try to play again. It will play without any issues.

Brave version (brave://version info)

Brave	1.31.91 Chromium: 95.0.4638.69 (Official Build) (64-bit)
Revision	6a1600ed572fedecd573b6c2b90a22fe6392a410-refs/branch-heads/4638@{#984}
OS	Windows Server OS Version 1809 (Build 17763.2237)

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? Yes
• Does the issue resolve itself when disabling Brave Rewards? No
• Is the issue reproducible on the latest version of Chrome? No

[rebron]

cc: @ryanbr @pes10k

[pes10k]

Yep, i dont think there is much we can do about this, at least short term. Possible options are enabling the Storage Access API (which would allow sites cross site tracking capabilites, though limited by a permission system), creating a 3p storage exception for spotify (which would allow a great deal of privacy harm), or adding Spotify to the global social media toggles (maybe the least bad option if we decide we need to fix this).

For my 2c though though, i would be fine marking this wontfix. I appreciate the functionality is useful and pleasant, but I don't think we should start punching the kinds of privacy holes in shields that would be needed here.

(note, there is a similar issue with youtube embeds and adding them to your "favorites")

[arsinclair]

Those are all valid options and I'm sure the community can decide how to tackle it better. However, another approach can be by just somehow making it more obvious to the user that Brave is blocking the embed. This way it will be up to the user to allow it or not, and we don't have to compromise the secutiry of the default settings.

Main problem here, it is not obvious that Brave is blocking it. I myself spent several days trying to figure out why the embed is not working on my site, and the most obvious ideas I had is either it is not supported by Spotify, or something is wrong with my code.

[ryanbr]

@arsinclair should be resolved, had no issues with current Brave releases and embedded spotify. Can you confirm?

[arsinclair]

So, it seems the default setting on Brave shields right now is to Allow all cookies (I'm not sure if I have overridden it in the past) so the embed is working. I don't know if that's the case, but I think this issue can be closed, since Blocking 3rd party cookies is one of the features of Brave, and if someone turns it on, issues like this are expected.

If anyone wants to give it some attention to make the fact that such cookies are blocked more visible, feel free to re-open the issue.