Steam gives "hostname" and other properties to Youtube.

- Embed a Youtube video in Steam Chat
- Click the video title at the top of the embed
- A youtube path opens in your browser. Quickly copy the link before it cleans up.
- Paste in notepad to read.

Steam isn't restricting the referrer, which means third party iframes (such as Youtube) can see the full Steam Client path which includes config details. Youtube is adding the referrer to an embeds_referring_euri parameter, which you can see with the above steps.

https://www.youtube.com/watch?v=xxxxxxxxxxx&embeds_referring_euri=https://steamloopback.host/index.html?IN_CLIENT=true&LOCAL_HOSTNAME=XXXXXX&USE_POPUPS=true&DEV_MODE=false&LANGUAGE=english&PL&embeds_referring_origin=https://steamloopback.host&source_ve_path=xxxxxxx&feature=emb_title

(Url decoded for readability. Client path underlined. I've edited out my hostname.)

This has been around for at least a few versions and is still present in 1685483787. The referrer will likely be available to other embeds like Vimeo and Sketchfab but I've only tested Youtube.

Steam would prevent Youtube from reading these parameters by restricting referrer. This could be done by adding referrerpolicy="origin" to the iframe, or <meta name="referrer" content="origin" /> to cover all third-party resources.

In the above example "embeds_referring_euri" becomes just https://steamloopback.host when restricting referrer.


Admittedly this isn't super sensitive but Google doesn't need that extra data. Valve has recently said "Google's tracking solutions don't align well with our approach to customer privacy" about Google Analytics so the same would apply here.