@katebutler opened this Pull Request on November 21st 2019 Member

Part of #14395 (allowing opt-out to work in Chrome on HTTP sites), also related to #6505

@tsteur commented on December 7th 2019 Member

@Findus23 @MichaelHeerklotz any chance you could give this PR a test as well?

@tsteur commented on December 10th 2019 Member

I was just testing the opt out. I was embedding the opt out into an html page and opted out. The third party ignore cookie was set. Then I added the tracking code to the same site. I then reloaded the page and it was suddenly saying

You are not opted out

Even though it should say

You are opted out

The problem is that it seems to only check for the first party cookie but not for the third party cookie status here:

image

This will be pretty much the behaviour for all Matomo sites as none of the visitors that previously unsubscribed would have the first party ignore cookie yet. So it is important to only show "You are not opted out" if neither the first nor the third party ignore cookie is set. If either of them is set, we assume the user is opted out.

I then opted out, and it was saying "opted out" after I clicked on it. However, when I reloaded the page, it was saying again "not opted out".

  • We should double check that the user was actually opted out before changing the status of the checkbox ideally. And if it didn't change the status, maybe we could show a message explaining the user it didn't work and to retry or to contact the website owner? Maybe could even adjust the message if the opt out is running on http? @mattab Any thoughts? It would basically not work when the site is embedded using http and the user does not have the tracking code on the same page or the opt out iframe domain does not match the tracker domain... In other cases either the first or the third party cookie should work... This message would be shown to actual visitors...
  • I noticed it was actually not changing the status because I had disableCookies in my tracking code (https://matomo.org/faq/general/faq_157/). I wonder if we need to still execute the methods forgetConsentGiven and rememberConsentGiven even when cookies are disabled? @Findus23 @mattab

Stopped testing afterwards.

@mattab commented on December 11th 2019 Member

We should double check that the user was actually opted out before changing the status of the checkbox ideally.

that'd be great.

And if it didn't change the status, maybe we could show a message explaining the user it didn't work and to retry or to contact the website owner? Maybe could even adjust the message if the opt out is running on http? @mattab Any thoughts? It would basically not work when the site is embedded using http and the user does not have the tracking code on the same page or the opt out iframe domain does not match the tracker domain...

If it's possible then be great to explain in the error message why it doesn't work eg Opt-out feature is unfortunately not working because this site is not using https and the tracking code cannot be found on this page. Please contact the website administrator for help. or Opt-out feature is unfortunately not working because this opt-out iframe domain $DOMAIN does not match the analytics service domain $DOMAIN2. Please contact the website administrator for help.

I noticed it was actually not changing the status because I had disableCookies in my tracking code (https://matomo.org/faq/general/faq_157/). I wonder if we need to still execute the methods forgetConsentGiven and rememberConsentGiven even when cookies are disabled? @Findus23 @mattab

not sure of the code details, but the idea would be that consent mechanism should be completely independant of cookies and work the same whether or not cookies are enabled in tracker.

@tsteur commented on December 22nd 2019 Member

Note: we still need to ignore disableCookies setting when opting out or in... will create a separate PR for this https://github.com/matomo-org/matomo/pull/15309

@tsteur commented on December 23rd 2019 Member

FYI made a few tweaks...

  • making sure it works with more browsers as eg not all browsers support startsWith etc.
  • Showing an error message if a user has popup blocker enabled (which it is by default on chrome) when changing the status
  • Showing an error message right away if cookies are disabled since it means it will most certainly not work I reckon
  • If when the popup closes, the optOut using postMessage did not work, then we may show a warning if we are on http. Generally we only show warnings if we are on HTTP as in all other cases things should work.
  • We can't fully detect if unsubscribe works because when the popup changes the ignore cookie, the cookies in the opt out frame are not updated and as such only a reload would help. However, we cannot really just reload since we don't really know if we will receive a confirmation message of the opt out through postMessage or not...

@diosmosis @Findus23 could you maybe have a look as well?

@diosmosis commented on December 24th 2019 Member

@tsteur looks ok to me though I didn't test locally and it is a fairly complicated PR. I like the interesting use of postMessage here, that seems like it could potentially have other use cases in the tracker (not just opt out and overlay).

It would be nice to be able to unit test the opt out JS if possible (maybe by loading it in karma and testing w/ angular unit tests?). Might be a bit of work to make that possible though; if it's a good idea we could create an issue for now.

This Pull Request was closed on December 31st 2019
Powered by GitHub Issue Mirror