I was just testing the opt out. I was embedding the opt out into an html page and opted out. The third party
ignore cookie was set. Then I added the tracking code to the same site. I then reloaded the page and it was suddenly saying
You are not opted out
Even though it should say
You are opted out
The problem is that it seems to only check for the first party cookie but not for the third party cookie status here:
This will be pretty much the behaviour for all Matomo sites as none of the visitors that previously unsubscribed would have the first party ignore cookie yet. So it is important to only show "You are not opted out" if neither the first nor the third party ignore cookie is set. If either of them is set, we assume the user is opted out.
I then opted out, and it was saying "opted out" after I clicked on it. However, when I reloaded the page, it was saying again "not opted out".
disableCookiesin my tracking code (https://matomo.org/faq/general/faq_157/). I wonder if we need to still execute the methods
rememberConsentGiveneven when cookies are disabled? @Findus23 @mattab
Stopped testing afterwards.
We should double check that the user was actually opted out before changing the status of the checkbox ideally.
that'd be great.
And if it didn't change the status, maybe we could show a message explaining the user it didn't work and to retry or to contact the website owner? Maybe could even adjust the message if the opt out is running on http? @mattab Any thoughts? It would basically not work when the site is embedded using http and the user does not have the tracking code on the same page or the opt out iframe domain does not match the tracker domain...
If it's possible then be great to explain in the error message why it doesn't work eg
Opt-out feature is unfortunately not working because this site is not using https and the tracking code cannot be found on this page. Please contact the website administrator for help. or
Opt-out feature is unfortunately not working because this opt-out iframe domain $DOMAIN does not match the analytics service domain $DOMAIN2. Please contact the website administrator for help.
I noticed it was actually not changing the status because I had disableCookies in my tracking code (https://matomo.org/faq/general/faq_157/). I wonder if we need to still execute the methods forgetConsentGiven and rememberConsentGiven even when cookies are disabled? @Findus23 @mattab
not sure of the code details, but the idea would be that consent mechanism should be completely independant of cookies and work the same whether or not cookies are enabled in tracker.
Note: we still need to ignore disableCookies setting when opting out or in... will create a separate PR for this https://github.com/matomo-org/matomo/pull/15309
FYI made a few tweaks...
@tsteur looks ok to me though I didn't test locally and it is a fairly complicated PR. I like the interesting use of postMessage here, that seems like it could potentially have other use cases in the tracker (not just opt out and overlay).
It would be nice to be able to unit test the opt out JS if possible (maybe by loading it in karma and testing w/ angular unit tests?). Might be a bit of work to make that possible though; if it's a good idea we could create an issue for now.