Consent to embeds and iframes

[fclaussen]

From: darkmoonxarx

One of the challenges of GDPR is YouTube, facebook and instagram embeds, because they save cookies from external sources. In some cases a general “I understand” click at the beginning doesn’t suffice. So how about if your plugin could detect iframes and oEmbeds, replace them with a thumbnail with some legal info and don’t load them until they are clicked.
This is a plugin that does this with YouTube links: https://github.com/michaelzangl/wp-video-embed-privacy
Your plugin could go one step further and save the consent, so the user only has to click once. Also functionality for all oEmbeds, iFrames and potentially a shortcode to hide any type of content until permission is given would be awesome.

[Creanimo]

Thanks for posting it here! To elaborate on that:

Purpose and reason

As mentioned above showing iFrames and oEmbeds on the first visit is problematic because cookies and privacy policies might apply that the user of our website didn't give consent to - especially if they haven't confirmed the banner yet.

Description

Feature 1: Iframes and OEmbeds should automatically be replaced by

Minimum:
A text notice saying that this content will be available if the user accepts the privacy policy. There should be a clickable button or text link to activate a specific consent or cookie.
Good solution:
A predefined placeholder image (could also just be div with a nice CSS gradient) spanning the approximate size of the oEmbed (16:9 for YouTube and vimeo, 1:1 for Instagram, 2:3 for facebook) with the text notice on top of it.
Best solution:
A thumbnail fetched from the source and cached on our own webspace with a semi transparent div overlay with the text notice on top of it. Maybe a mix with a generic placeholder when a preview cannot be fetched.

Settings in admin area:
Minimum:

• Define the placeholder text for every oEmbed type (so we can link to the external privacy policies)
• Checkbox: Switch on and off
• Dropdown: "Make consent necessary every time", "Make consent necessary for every single oEmbed individually", "don't block content anymore anymore after consent was given once"

Good solution:

• Define placeholder image general or for specific oEmbeds

Best solution:

• Checkbox: Caching of thumbnails on and off
• Styling options

Optional:

• Dropdown: Options for what the user can click on: "I accept button", "Slider/Ceckbox for consent", "Just click on the overlay"

Feature 2: A shortcode to hide any type of content if (a specific) consent wasn't given

This way we can potentially hide any scripts or iframes embedded on the frontend.
Shortcode:
[have_consent][/have_consent]
Variables:
consent=" ", content only shows when user gave a specific consent (if this is not defined, a click on "I understand" on the banner is necessary).
cookie=" ", content only shows when a specific cookie is active.
option_type=" " defines what is appended where the user can click on to give consent

• button: An "I agree" button setting general or a specific consent or cookie
• checkbox: A checkbox setting general or a specific consent or cookie (maybe with a button to submit the choice?)
• text: An "I agree" text link.
• settings: A button leading to the settings overlay so the user can set the consent/cookie there. Should be open on the correct page if it is for a specific one.
  If general consent or the specific one is missing there should be a message that can be predefined in the settings with a button that opens the user's privacy settings. If a specific consent or cookie is necessary it should already show the specific setting.
  no_consent_message=" " can be used to enter a custom message for the consent needed notice.
  Optional Shortcode:
  [msising_consent][/missing_consent] with variables constent= and cookie=, which displays a content when general or a specific consent/cookie isn't active.

What could set the GDPR plugin apart from others

• Support for all oEmbeds and iFrames
• Consent can be saved, so user doesn't have to give consent every singel time.

[fclaussen]

I was watching a video on Twitter this morning and they showed a cookie consent message before playing. So I'm guessing individual providers will take care of this issue. Making that update might mean you have to click twice if providers really go down that path.

Keeping this on hold until we are closer to the deadline to see what major providers are doing.

[Creanimo]

Interesting that twitter is already implementing sth like this.
Technically even loading the privacy note from an external server is against GDPR though because an IP address is transmitted.
And I still see advantages in a shortcode... An iframes could be anything. I have a couple of scripts and iframes like the forms from viral loop I couldn't use without such a tool... or a lot of manual work.
I just doubt every provider will include such a message... and it's up to debate if showing the external message is already passing on of user data.

[fclaussen]

From what I understood, the way they do it does not pass any user data at all.

They just check if their cookie is set. If not, they display the message alerting that choosing to view the video will set a cookie and an OK button.

[Creanimo]

But a transaction of the users's ip would still be necessary to serve the cookie notice, right? I mean, we are in unprecedented territory here, but I swear I heard from some lawyers warning even from loading images from external servers before consent to the privacy policy. I am pretty sure that an iframe is just as problematic even when just showing a cookie notice.

[Creanimo]

Another plugin called Borlabs Cookie solved it like this:
https://borlabs.io/borlabs-cookie-iframe-demo/
They also have a shortcode to block any content within the shortcode before consent was given.

Will we see this functionality in this plugin?

[fclaussen]

Blocking content via shortcodes is a nice idea. I can add that in.
I'm not ready to block iframes still. But if you can block a section based on a shortcode, then I guess that would do the trick for that case too?

[Creanimo]

Shortcode would be a great first step.

I have hundreds of video embeds on my site though so an automatic blocking of oembeds and iframe tags (like borlabs cookie does) would be amazingly helpful. I could of course use borlabs cookies for the moment but it would be awesome to have detailed choices for the user which oEmbeds to block in the settings pop up of the GDPR plugin.

[Barrans]

That

…

On Mon, Apr 30, 2018 at 10:22 AM, Fernando Claussen < ***@***.***> wrote: Blocking content via shortcodes is a nice idea. I can add that in. I'm not ready to block iframes still. But if you can block a section based on a shortcode, then I guess that would do the trick for that case too? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#33 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AEStsXqOpWx1ICn99fFIsP5sXseo7zZdks5ttx4rgaJpZM4TSNsD> .

-- *Shawn Barrans* President, Senior Strategist I Président, Stratégiste en Chef Trew Knowledge Inc. 372 Richmond ST. W, Suite 209 Toronto, ON, M5V 1X6 Call me at 647.289.6838 Email me at sbarrans@trewknowledge.com <sbarrans@trewknowledge.com> Shawn Barrans on Linked in <http://ca.linkedin.com/pub/shawn-barrans/16/309/677> Trew Knowledge on Facebook <https://www.facebook.com/trewknowledge> Visit us at www.trewknowledge.com <http://www.trewknowledge.com> This message, including any attachments, is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged and confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachments, without reading it or making a copy. Thank you. Ce message (incluant ses fichiers joints) est transmis pour l'usage exclusif de la ou des personnes à qui il est destiné et peut contenir des renseignements confidentiels ou assujettis au secret professionnel. Il est strictement interdit d'en faire toute autre distribution, copie ou divulgation. Si vous n'êtes pas le destinataire visé ou que vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement par réponse à ce courriel et le détruire (incluant ses fichiers joints) de façon définitive sans le lire ou en faire de copie. Merci

[Barrans]

That sounds like it would be a good solution. If we can block the shortcode embed based on preference, I don't see an issue with that. Ideally, the cookie should be available as an option in your preference window. If the user has disabled the cookie, we can replace the embed with a generic placeholder for the type of content ie. video, image, social and include a button to view content. If the user clicks on the reveal button, it sets the cookie which should be a blanket consent for all shortcode cookies. On Mon, Apr 30, 2018 at 10:53 AM, Shawn Barrans <sbarrans@trewknowledge.com> wrote:

…

That On Mon, Apr 30, 2018 at 10:22 AM, Fernando Claussen < ***@***.***> wrote: > Blocking content via shortcodes is a nice idea. I can add that in. > I'm not ready to block iframes still. But if you can block a section > based on a shortcode, then I guess that would do the trick for that case > too? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#33 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AEStsXqOpWx1ICn99fFIsP5sXseo7zZdks5ttx4rgaJpZM4TSNsD> > . > -- *Shawn Barrans* President, Senior Strategist I Président, Stratégiste en Chef Trew Knowledge Inc. 372 Richmond ST. W, Suite 209 Toronto, ON, M5V 1X6 Call me at 647.289.6838 Email me at ***@***.*** ***@***.***> Shawn Barrans on Linked in <http://ca.linkedin.com/pub/shawn-barrans/16/309/677> Trew Knowledge on Facebook <https://www.facebook.com/trewknowledge> Visit us at www.trewknowledge.com <http://www.trewknowledge.com> This message, including any attachments, is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged and confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachments, without reading it or making a copy. Thank you. Ce message (incluant ses fichiers joints) est transmis pour l'usage exclusif de la ou des personnes à qui il est destiné et peut contenir des renseignements confidentiels ou assujettis au secret professionnel. Il est strictement interdit d'en faire toute autre distribution, copie ou divulgation. Si vous n'êtes pas le destinataire visé ou que vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement par réponse à ce courriel et le détruire (incluant ses fichiers joints) de façon définitive sans le lire ou en faire de copie. Merci

-- *Shawn Barrans* President, Senior Strategist I Président, Stratégiste en Chef Trew Knowledge Inc. 372 Richmond ST. W, Suite 209 Toronto, ON, M5V 1X6 Call me at 647.289.6838 Email me at sbarrans@trewknowledge.com <sbarrans@trewknowledge.com> Shawn Barrans on Linked in <http://ca.linkedin.com/pub/shawn-barrans/16/309/677> Trew Knowledge on Facebook <https://www.facebook.com/trewknowledge> Visit us at www.trewknowledge.com <http://www.trewknowledge.com> This message, including any attachments, is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged and confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachments, without reading it or making a copy. Thank you. Ce message (incluant ses fichiers joints) est transmis pour l'usage exclusif de la ou des personnes à qui il est destiné et peut contenir des renseignements confidentiels ou assujettis au secret professionnel. Il est strictement interdit d'en faire toute autre distribution, copie ou divulgation. Si vous n'êtes pas le destinataire visé ou que vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement par réponse à ce courriel et le détruire (incluant ses fichiers joints) de façon définitive sans le lire ou en faire de copie. Merci

[Creanimo]

I have to stress again that I see the shortcode only as an additional option. I have 5 years of YouTube and facebook embeds. An automatic solution detecting oEmbed and iFrame code is the only way to get my site GDPR compliant without checking every single post individually. Do you think this will be a function of the plugin (ideally around the GDPR deadline)?

[C44Supra]

Any updates on this? How do we go about embedded content from YouTube or Instagram? Even though you can use youtube-nocookie.com, I'm still seeing cookies being set by google.com. (Only happens on pages with a embedded youtube video). I would very much like to lock this down if at all possible.

[fclaussen]

This is planned for June 11th

[kasperkamperman]

This would be a necessary function to make a site GDPR proof. Unfortunately this is not supported by many plugins. However Vimeo loads a cookie on embed. Twitter indeed puts a message before playing a video (however I think they still set a language cookie without permission).

This plugin (https://nl.wordpress.org/plugins/eu-cookie-law/) blocks embeds with a banner, however it doesn't work with caching plugins like WP Super Cache.

[fclaussen]

Not all cookies need blocking. Some cookies are ok. It's a fine line.

[maxammann]

Seems like there is no open source solution available so far.