Ask HN: How does Google share my login information with YouTube?

3 points by zagrebian ↗ HN
Steps to reproduce:

1. Install Firefox 2. Go to google.com 3. Log in with your Google account 4. Go to youtube.com 5. You are already logged in

I would like to understand how Youtube receives my Google login information. I assume that logins on the web are based on websites, and since google.com and youtube.com are two different websites, Youtube should not be able to access my Google login.

So how does Youtube do it? If this were Chrome, I would assume that it’s some sort of Google integration, but this is Firefox, so there must be a standard web API at work here.

14 comments

[ 3.0 ms ] story [ 43.7 ms ] thread
Youtube is a part of Google, they got rid of Youtube logins and merged it to use Google accounts to login in shortly after being acquired.
I understand that. My question is, how? How is Youtube receiving my Google login?
If you look at the chain of redirects during your Google login you'll be redirected to youtube.com before redirecting back to Google.
What. The. Heck.

Is this considered a dark pattern?

Its called sso single-sign-on. you log in one website and every other just redirects to website 1 and get redirected back.
Is there a limit on how many additional websites can receive my login information in the background like this? I feel like this should be more regulated by the browser.

As a Firefox user, I would prefer if the browser informed me about this. If I sign in on Google, Firefox should include this information in the “Remember password” popup. A small warning that says something like, “This login information was shared with youtube.com”.

It is regulated in the browser - that's why Google has to explicitly redirect you to YouTube and pass the secret value in the URL since YT can't access your Google session cookie.

YouTube is owned by Google so they can make both websites cooperate to share data between each other, working around the browser's same-origin policy.

As long the server supports it, nearly infinite, but most protocols require an redirect, since they can't access the cookies of the loginsite.
What I mean by regulation:

- There is a limit on how many sites the login information can be shared with without notifying the user.

- If the login information is attempted to be shared with a website that is a known tracker, the process is stopped, and the user is explicitly prompted to allow this.

> since google.com and youtube.com are two different websites

Both are part of Google.

The web platform does not have a concept of companies. There are origins, domains, and websites. As I said, logins in browsers are tied to websites.
I do not think that is true. How do you stay signed into google even though you restart a browser? There is a cookie that is stored and it authenticates you. When you first go to yt.com, it can ask google to authenticate you.. Call a url at google.com with a unique id and the response from that URL will tell yt if you are already signed in. The call to google can authenticate you since the call is coming from a google.com domain.

I am not sure if this is the exact mechanism.. but thinking that everything is origins, domains and websites and ignoring the fact that websites can call other websites (without making it obvious to the user) and they are all interconnected is a very naive assumption.

> Call a url at google.com with a unique id and the response from that URL will tell yt if you are already signed in.

I don’t think this is possible. When Google.com receives an HTTP request from Youtube.com, Google cannot know which user it is because the user visited Youtube.com anonymously.

If you open youtube.com in a private window, it does not auto-login as expected. Maybe, I am misunderstanding your question?