I’ve tried my hand on creating an Instagram embed without cookies and failed.
Even trying the following iframe embed with the sandbox attribute does not disable the Instagram iframe from setting cookies in the parent document.
<iframe sandbox src="https://www.instagram.com/p/BWNjjyYFxVx/embed/captioned" width="500" height="605" frameborder="0" scrolling="no" allowtransparency="true"></iframe>
It seems that Instagram has a way to bypass the sandbox HTML5 attribute and there is really nothing on the web about this apart from some unsolved StackOverflow questions:
BTW Instagram is very greedy. The above embed sets a 2 year cookie and another one that expires in the year 2038(!)
Another interesting detail is that Instagram TOS demand that you seek permission if you want to use their API to retrieve images and other user content from their platform. I’ve tried this in the past with a custom Instagram feed that bypassed their cookies and of course the app was rejected.
As things are right now there is no way to create a Hugo internal shortcode for Instagram that does not set identifiers in a user’s device. Just visit: https://gohugo.io/content-management/shortcodes/#use-hugo-s-built-in-shortcodes open Developer Tools and view the exorbitant amount of cookies set by Instagram and the other platforms.
I haven’t tried my hand on the Twitter internal shortcode yet. I might try tomorrow. But I wouldn’t be surprised if I failed with this also.
And to be perfectly clear I do not wish to become the middle man of Instagram/Facebook and seek user consent for their data collection practices.
So as things are right now I think I’m going to cull all Instagram embeds from projects I manage.