Oldytplayer Youtube Old P
✨ AI-Powered 🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Take control of YouTube and bring back the classic player.
OldYTPlayer restores YouTube’s pre-2025 video player and adds a handful of optional, privacy-friendly tweaks. If you prefer the familiar layout with fewer distractions—but still want modern conveniences like community dislikes and SponsorBlock, this extension is for you.
------------------------------
What does OldYTPlayer do?
Restore the Old Player
• Reverts the YouTube player to its pre-2025 look
• Hides the new fullscreen “grid” and quick controls
• Keeps the classic style consistent
Optional Tweaks
• Return YouTube Dislike integration
• SponsorBlock segment skipping
• Classic like/dislike icons and more
Easy Controls
• Popup master enable/disable
• “Only Revert Player” quick action
• Hide/Unhide the OldYTPlayer settings entry
------------------------------
Key Features
Player and UI
• Revert Old YouTube Player (pre-2025 UI)
• Hide fullscreen “More videos” grid and quick-action overlays
• Classic like/dislike buttons
Tweaks and Cleanup
• Remove AI Summary and “Ask AI”
• Hide Shorts across home/search/sidebar/related
• Hide sponsored panels, overlays, merch and promos
• Hide Share/Thanks/Clip buttons
Integrations
• Skip sponsored segments with SponsorBlock
• Show community dislike counts via Return YouTube Dislike
...and much more, all togge-able!
---------------------------
OldYoutubePlayer is a third-party extension and is not affiliated with YouTube.
YouTube is a trademark of Google LLC. Use of this trademark is subject to Google Permissions.
Tags
Privacy Practices
Security Analysis — Oldytplayer Youtube Old P
Permissions
Code Patterns Detected
External Connections
Package Contents 17 files · 3.7MB
What This Extension Does
Oldytplayer Youtube Old P is a browser extension designed to restore YouTube's pre-2025 player interface, re-enable dislikes, and integrate third-party tools like SponsorBlock. It operates by injecting content scripts into YouTube pages to modify the DOM and intercept user interactions. While it serves a specific nostalgia and utility purpose for power users, its broad access to YouTube data and dynamic script creation warrants careful review.
Permissions Explained
- storageexpected: Allows the extension to save your settings (like which UI tweaks you want) and remember them between sessions.
Technical: Accesses chrome.storage.local or Session Storage. This is a standard API for persisting configuration data locally on the user's device without network transmission. - tabsexpected: Enables the extension to detect when you are on YouTube and show its popup controls or inject features into the correct page.
Technical: Accesses chrome.tabs API to read tab metadata (title, URL, active status). This is necessary for context-aware functionality but does not inherently expose content unless combined with other permissions. - scriptingexpected: Permits the extension to run code on YouTube pages to modify the video player and UI elements.
Technical: Accesses chrome.scripting API (formerly webRequest/onInstalled). This allows injecting content scripts into specific domains. It grants the ability to read/write DOM, execute JS, and intercept network requests within the scope of the granted host permissions. - https://www.youtube.com/*expected: Grants full access to read and modify any content on YouTube pages to restore old UI elements.
Technical: Host permission allowing chrome.webNavigation, chrome.tabs.insertCSS, and content script injection. This exposes the extension to all data on the page (comments, watch history, personal playlists). If compromised, an attacker could harvest this data or inject malicious scripts into your YouTube session. ⚠ 1 - https://m.youtube.com/*expected: Grants full access to read and modify any content on the mobile version of YouTube pages.
Technical: Host permission for mobile subdomain. Similar risk profile to the desktop version, allowing DOM manipulation and data access on responsive layouts. ⚠ 1
Your Data
The extension accesses your YouTube watch history, comments, video titles, and UI elements to modify them. It sends requests to third-party APIs for features like SponsorBlock and dislike counts.
Technical Details
Code Findings
The extension creates new script tags on your computer. While often used to load necessary libraries, this technique can be abused by malware to download and execute hidden code without your knowledge.
Technical: Code pattern: document.createElement('script') followed by src assignment and .click() or .appendChild(). Risk vector: If the extension is compromised or if a malicious actor gains control of the extension's update mechanism, they could inject arbitrary scripts that steal cookies or hijack the session. This bypasses some CSP protections.
💡 Commonly used to load external libraries (like jQuery) or dynamically fetch configuration files from CDNs when the build process cannot bundle them.
The extension uses a method to insert content that could theoretically allow malicious code to run if the source of that content is not strictly validated.
Technical: Code pattern: element.innerHTML = user_input. Risk vector: If the extension fetches data from an untrusted source (like a third-party API) and blindly assigns it to innerHTML, an attacker could inject HTML/JS payloads. This is mitigated if the input is sanitized or escaped before assignment.
💡 Used for rendering user-generated content or dynamic UI components. Standard practice requires strict sanitization of all inputs.
The analysis indicates the extension has the capability to capture keystrokes. This is a severe privacy risk as it could record passwords, search queries, or private messages typed on YouTube.
Technical: Code pattern: Event listener for 'keydown' or 'keypress' capturing event.key/value and storing/transmitting data. Risk vector: If this code executes in the context of the extension, it can capture input from any focused element within the scope of its permissions. This is a red flag regardless of whether it is currently active.
💡 Rarely used legitimately in UI restoration tools unless specifically for accessibility testing or password manager integration (which would require explicit user consent and secure storage).
The extension does not enforce strict security rules on which scripts can run. This makes it easier for vulnerabilities to be exploited.
Technical: Manifest or background script lacks 'Content-Security-Policy' header configuration. Risk vector: Without a CSP, the browser allows any script loaded by the extension to execute, increasing the attack surface if a dependency is compromised.
💡 Some simple extensions omit CSP for ease of development, but it is a best practice for security-hardened extensions.
The extension talks to other websites using a secure messaging system. This is generally safe but requires trust in the receiving parties.
Technical: Code pattern: window.postMessage(). Risk vector: If the extension sends data to an untrusted domain via postMessage, that domain could intercept it. However, this is standard for integrating with services like SponsorBlock.
💡 Standard mechanism for extensions to communicate with external APIs or other browser contexts.
Oldytplayer Youtube Old P provides useful functionality for restoring YouTube's classic interface but presents significant security concerns. The combination of broad host permissions on YouTube, the creation of dynamic scripts, and the critical finding regarding potential keystroke capture suggests this extension should be used with caution. Users are advised to avoid entering sensitive information (passwords, credit cards) while the extension is active and consider disabling it if they prioritize strict privacy over UI customization.
