In order to ensure compliance with the Cookie Law when using AMP, I need to be able to block the scripts that install cookies and activate them only once the user has given consent. I'm trying to achieve this on AMP-compliant pages, but I'm having the issues described below.
Upon reading the AMP documentation, I noticed that it is only possibile to insert scripts if the script type is set to “application/ld+json”.
The way we currently handle the blocking and re-activation of scripts once the cookie consent has been provided is to change the script type into plain/text in the page source, then switching it back via javascript only after the consent has been given.
How can we achieve this on an AMP-compliant page?
If it's not possibile insert custom script tags, can I create an “AMP-plugin” or a script accepted by the AMP system that makes me achieve the same?
Is it possible to prevent AMP activation at page load to then activate it with a specific trigger?
Also, we've noticed that the AMP js itself is installing cookies. Can the load of the AMP js also be subject to user consent to cookies?
Thanks in advance for your help.
Cookies might be troublesome either way. AMP sites are delivered via Google CDN - so they run on a google subdomain instead of your own domain. This is done by Google to further accelerate the render speed of the site.
So even if you could write a cookie, its scope would be the google subdomain, instead of your own domain.
There seem to be some work-arounds in context of the amp-analytics plugin:
https://www.ampproject.org/docs/guides/analytics/analytics_basics
Here is a cookie accept sample.
Hope this helps. Normaly it is okay to inform the user only that you use cookies.
If you want block cookie before loading the AMP you must handle it self by a script. Same whren user not accept.
Cookie writing can be controlled by passing in amp-user-notification-id as described in https://github.com/ampproject/amphtml/blob/master/extensions/amp-analytics/analytics-vars.md#clientid
The exact code that you need to use depends on what component is writing the cookies. Is it an analytics vendor or an ad or something else?
Related
I am loading a script from Youtube on page load, which loads the script and creates some cookies, which are needed from Youtube.
Now, I have implemented OneTrust to work on cookies based on user consent. In Onetrust, there is a config to block any cookies to be created before any user consent. Here, other cookies are getting blocked except Youtube cookies. I am looking for any reason as if why Youtube cookies are created even before the user gives consent.
Any pointers would be appreciated! Thanks!
1- You must enable automatically block known tracking technologies before publishing:
2- Make sure you implemented the script before any other scripts into the "head" section of the HTML template. If you integrate it via GTM, make sure OneTrust script fired first.
I've recently stumbled upon a website called Overlay101 which allows you to create tours for other websites.
I was very interested to see the technique they use to load the third party websites for editing.
When you type the address of the website, it is loaded as a sub domain of the overlay101.com website.
For example, if I type https://stackoverflow.com/questions/111102/how-do-javascript-closures-work - it is loaded as http://stackoverflow.com.www.overlay101.com/questions/111102/how-do-javascript-closures-work
I was wondering how is that subdomain creation achieved and I saw in the source code of the page that JavaScript in injected. I was wondering how was that possible too.
What intrigued me most is that Stackoverflow.com does not allow pages to be loaded within frames - I was wondering how they managed to load up the page so that tour popups could be added.
They simply use wildcard DNS entries to make all subdomains work. They then use the Host header to get the original domain name and download the HTML code of the site. Since they do this on the server side they do not need any frames etc.
I am setting up an A/B test with Google's website optimizer.
I have a page:
wwww.example.com/landingpage
and some variations:
www.example.com/landingpage0
www.example.com/landingpage1
www.example.com/landingpage2
the conversion page is on:
www.subdomain.example.com/goal
Website Optimizer's wizard interface, is not accepting the goal page because it's on "a different domain" and apparently there's no way to proceed with the next step.
However, if I "fake" the procedure, and specify
wwww.example.com/fakeGoalPage
the wizard will allow me to continue the set-up.
What I do next is to put the goal-page code in my real goal page, and hope that the test will work.
My question is if this practice is correct or if you can suggest me a better way to solve this problem..
Thank you
By default, Google Website Optimizer sets its cookies on the current domain (document.domain). So, the cookies from www.example.com won't be available when they convert on subdomain.example.com. The solution to that is to follow the instructions from this help center: Customizing Google Website Optimizer code for multiple subdomains?
Basically:
First, you add the following line just before your control script:
_udn = ".example.com";
Then you change your tracking and conversion scripts to allow for cross domain cookies.
Assuming you're using the async syntax, that means this goes before the gwo._trackPageview.
_gaq.push(['gwo._setDomainName', '.example.com']);
(An alternative is to set your goal as a URL on example.com, create that page, and then place the conversion script as the only thing on that page, and include it as an iframe on the conversion page.)
I don't think this is possible, but it never hurts to ask.
Is there any way for me to host a file (or folder) on someone else's domain (with their permission, of course)? For example, if their site is hosted at www.example.com, I would like to host a file at www.example.com/foo.html, or a folder at www.example.com/foo/, or the like. I just need to be able to make changes at will to a single file.
We can't use a redirect or anything like that - the purpose of this is to allow me to control a document loaded in an <iframe> on their site, and for the JavaScript in that <iframe> to have access (i.e., no security restrictions) to its parent page - which is only allowed if the domains match. Their site doesn't change the document.domain property to relax the security restrictions, nor can we ask them to start using that approach (it's an enormous site).
I also can't generate an <iframe> and create its document solely using JavaScript - we've done that in the past, and it gets around the security restrictions (the generated <iframe> is in the same domain as its parent page), but it causes other issues and difficulties that add up to a deal-breaker in this case.
Please let me know if you have any alternative suggestions, or if you need any more information about what exactly I'm trying to do.
Thanks in advance for any help!
I hope I'm understanding this correctly. Since you have their permission to host a file on their site, can you just use FTP? They can set you up to only be able to drop files in one directory on their site, and you can edit the file there.
Provide embed code to the other party to load remote javascript file to their page. You may then generate content or information gathering. As the javascript file is hosted on your side, it's under your control. A Visitor Counter is a similar case.
You could make a php script that loads it's data from your own site.
this should work actually:
<?php echo file_get_contents("http://www.yoursite.com/yourfile.html"); ?>
Edit: You might be able to do the same with javascript, but i don't know the code for it... Sorry. :-/
Sounds like your friend can set up a reverse proxy rule on their web server for your file. http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
Is there any way to programatically disable cookies being created by a page displayed inside of a frame/iframe? Or to generalise further, is it possible to programatically disable javascript running on such a page?
Thanks,
DLiKS
with iframe sandbox attribute (html5) it will be possible (implemented in chrome)
http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox
NullUserException already answered what you can do today without browser support
The only way you could change that for an external website you have no control over is to retrieve the pages using a server-side script, filter the input and display it to the user (ie: act as a proxy).
You just can't modify sites out of your domain (or subdomain - it might depend on the browser) using J/S for security reasons.
If you mean that you want to change the settings of the browser by code in a web page, then no, this is not possible (and if it were possible, it's a huge security breach and all alarms would go off).
You may surpass this, however, by writing a plugin, but then each user must first download the plugin. You can also request higher priviledges, but it'll depend on the browser whether you can change any user settings.
If you mean that you want to write a script on every pc in your company to disable JS + cookies for certain pages, you can write plugins and install them everywhere, or use a proxy (as has been suggested by others) and filter the pages. If it is just for debugging a self-made page, use the Developer Toolbar for the various browsers, that can turn JS/Cookies on and off.
Why would you want to do such a thing? If you want to disable cookies, you disable it on your own page by simply not using cookies. The same goes for javascript: don't add it to your page and you've disabled it on your page.
Note: if any page would change anything of the user settings of the browser, your page will probably be blacklisted by Google, most virus scanners and fishing prevention tools.