Consent Manager (IAB TCF 2.2) 1.0.4

Changelog v1.0.4​

New Features — Google Revenue Fix​

• Google Additional Consent (AC) Spec: addtlConsent cookie is now set alongside euconsent-v2 — 199 Google AC vendors (Google #229, Xandr #80, Index Exchange #126, Criteo #154, Amazon #7, LiveRamp #12 etc.) can now bid in auctions
• GVL Import: Now also fetches Google's commonly-used-providers.json and stores google_ac_id per vendor — fully automatic, no manual setup
• __tcfapiLocator iframe: IAB-required cross-frame locator so iframed ad scripts (Prebid, Google GPT, etc.) can discover the CMP
• postMessage handler: Full cross-frame TCF API — ad iframes can query consent via postMessage (both in head stub and CMP JS)
• ping command in stub: Head stub now responds to ping immediately (before CMP loads) with cmpStatus: 'stub'

New Features — Dashboard​

• Re-request Consent: Dashboard button to invalidate all existing consents — increases consent version, all visitors see the banner again on next visit
• Reset Statistics: Dashboard button to delete all consent stats and logs with one click
• Consent version display: Shows current consent version in the dashboard Consent Management section

New Features — Validator​

Validator extended from 8 to 12 checks with 4 new Google integration tests:

• __tcfapiLocator iframe present
• Cross-frame postMessage handler active
• Google Additional Consent (AC) cookie support
• Active Google AC vendors count

Bug Fixes​

• Fixed 4 missing phrase definitions (deb_consent_vendor_special_purposes, _explain, deb_consent_vendor_features, _explain) — previously showed raw phrase keys in vendor edit form
• Fixed __tcfapi getTCData response now includes addtlConsent field for programmatic access

Technical​

• New DB column: google_ac_id (UINT, nullable) on xf_deb_consent_vendor
• New config key: consent_version in xf_deb_consent_config
• Head stub rewritten: TCF API stub with ping, __tcfapiLocator iframe, postMessage handler
• CMP JS: restoreConsent() now checks cmpVersion against consentVersion for re-consent
• CMP JS: persistConsent() encodes current consentVersion as cmpVersion in TC string
• New Repository method: Vendor::findByAcId()

---

Update Guide: v1.0.3 → v1.0.4​

v1.0.4 fixes a revenue problem: Many important ad bidders (Google, Xandr, Criteo, Index Exchange, Amazon, etc.) were not bidding even though the TCF string was correctly set.

Root causes & fixes:

1. Google Additional Consent (AC): The addtlConsent cookie was missing — ~199 vendors from Google's "commonly used providers" list require this cookie in addition to euconsent-v2
2. Cross-Frame TCF: The __tcfapiLocator iframe and postMessage handler were missing — ad scripts in iframes (Google GPT, Prebid, etc.) could not discover the CMP
3. Re-Consent: After the update, all existing users must re-consent so the new addtlConsent cookie gets set

---

Step 1: Upload ZIP & install​

Code:

Admin Panel → Setup → Add-ons → Install/upgrade add-on → Upload DEB-ConsentManager-1.0.4.zip

The upgrade automatically creates:

• New DB column google_ac_id in the vendor table
• Updated head stub template modification (with __tcfapiLocator + postMessage)
• New phrases (EN + DE)

Step 2: Import GVL (load Google AC IDs)​

Code:

Admin Panel → Consent Manager → Dashboard → "GVL Import" → Click "Start Import"

This imports:

• IAB Global Vendor List (updates vendor data)
• NEW: Google's commonly-used-providers.json → sets google_ac_id for ~199 vendors

Verification: After import, check the vendor list → the "AC" column should show green ID badges for many vendors.

Step 3: Activate vendors​

Code:

Admin Panel → Consent Manager → Vendors → "Activate All"

Step 4: Re-request consent (IMPORTANT!)​

IMPORTANT: Existing users have the old cookie WITHOUT addtlConsent. To set the new cookie, all users must re-consent.

Code:

Admin Panel → Consent Manager → Dashboard → Scroll to "Consent Management" → Click "Re-request Consent"

This increases the consent version. On the next page load, every visitor will see the consent banner again.

Step 5: Run validator​

Code:

Admin Panel → Consent Manager → Dashboard → "Run Validation"

Expected result: 12/12 checks passed, including:

• __tcfapiLocator iframe
• Cross-Frame postMessage
• Google Additional Consent (AC)
• Google AC Vendors (199 active)

Step 6: Browser verification​

1. Clear cookies (or use incognito window)
2. Open your site → Banner must appear
3. Click "Accept"
4. DevTools → Application → Cookies— check:
   • euconsent-v2 = set
   • addtlConsent = 2~7.11.12.15...229...
5. DevTools → Console — enter:
   
   Code:

   window.__tcfapi('getTCData', 2, function(d, s) { console.log('addtlConsent:', d.addtlConsent); });

   → Must output the AC string

---

Optional: Reset statistics​

To start with fresh numbers after the update:

Code:

Admin Panel → Consent Manager → Dashboard → "Consent Management" → "Reset Statistics"

Deletes all consent logs and statistics.

---

Troubleshooting​

Banner does not appear after re-consent:

• Check consent version (Dashboard → "Current consent version: 2")
• Clear browser cache (Ctrl+Shift+R)
• Check addon is enabled (Settings → "Enable Consent Manager")

addtlConsent cookie missing:

• Run GVL import (Vendor list → AC column)
• Activate vendors
• Clear browser cache and re-consent

Validator shows less than 12/12:

• __tcfapiLocator missing: Recompile templates or reinstall add-on
• AC Vendors = 0: Run GVL import
• postMessage missing: Check head stub template modification

---

Technical comparison​

Component	v1.0.3	v1.0.4
Cookies	euconsent-v2	euconsent-v2 + addtlConsent
Head Stub	Simple queue	+ __tcfapiLocator + postMessage + ping
Validator	8 checks	12 checks (+ Google integration)
Vendor DB	iab_vendor_id	+ google_ac_id
Dashboard	KPIs + Charts + Logs	+ Re-Consent + Stats Reset
CMP JS	No version check	cmpVersion ↔ consentVersion comparison

Bug Fixes:

• Fixed vendor edit form not pre-selecting checkboxes for Consent Purposes, Legitimate Interest Purposes, and Special Features when editing existing vendors
• Fixed purpose labels showing generic "Purpose 1", "Purpose 2" etc. instead of proper TCF purpose names in vendor edit form
• Fixed vendor list table not using full available width in admin panel

Improvements:

• GVL import now uses privacy URL as vendor URL fallback (GVL does not provide a separate website URL)
• Vendor edit form uses phrase-based purpose labels consistent with settings page (supports all installed languages)
• Vendor list table columns optimized for better readability at full width

Bug Fixes:
- Fixed consent toggle states not restored when reopening the consent dialog (e.g. "Select basic ads"
showing OFF even though it was saved as ON)
- Fixed public JavaScript file (js/addons/) not being updated during build - only the source copy
(src/addons/) was updated, causing the live server to serve the old version

Deleted cookie → Banner appears
Clicked "Customize" → Layer 2 opens
Enabled Purpose 2 "Select basic ads" → Toggle ON
Clicked "Save Selection" → Banner closes
Navigated to /consent/ → Clicked "Change Cookie Settings"
Dialog reopens → P1: ON, P2: ON, rest OFF

Note for Cloudflare users:
If you use Cloudflare, please purge your Cloudflare cache after installing this update
(Dashboard > Caching > Purge Everything). Clearing only the browser cache is not sufficient
as Cloudflare caches JavaScript files independently. Without purging, your visitors may
still receive the old JavaScript file.

Bug Fixes:

• Fixed Google Consent Mode script loading AFTER AdSense/gtag.js (moved to top of <head>)
• Fixed returning visitors seeing 'denied' consent until page fully loaded (cookie check now in <head>)
• Fixed Global Scope toggle breaking all banner JavaScript when disabled (XF renders false as empty string)
• Fixed missing XenForo cookie consent page phrases (third-party group and euconsent-v2 description)

New Features:

• Search/filter field in admin vendor list (filter by name, IAB ID, purposes, status)
• Search/filter field in admin consent logs (filter by user, IP, action, date)

Improvements:

• Google Consent Mode defaults + cookie check now injected at top of <head> before any Google script
• Changed German phrase "Cookie-Einstellungen ändern" to "Cookie-Einstellungen zurücksetzen"
• isServiceSpecific uses <xf:if> instead of JS negation (prevents broken JS when value is false)

Bug Fixes:

• Fixed "Function datetime is unknown" error on dashboard and logs (changed to date_time)
• Fixed banner not closing after Accept/Reject/Save when CMP JavaScript throws an error

Improvements:

• Banner buttons now hide wrapper before CMP call with try/catch error handling
• Banner always closes reliably regardless of JavaScript errors

Bug Fixes:

• Fixed ads not showing after consent was given (Google Consent Mode remained 'denied' on page load)
• Fixed Layer 2 Accept/Save/Reject buttons not working when reopened via "Change Cookie Settings"
• Fixed footer cookie settings link not clickable on mobile browsers (touch target too small)
• Fixed admin permission not auto-assigned to super admins on fresh install
• Fixed Layer 3 (Vendor Details) showing empty list
• Fixed Cookie Declaration link using button color instead of text color
• Fixed vendor privacy links using button color instead of text color
• Fixed duplicate font-size declaration in button CSS
• Fixed Dark Mode using wrong selectors root/.xfDark instead of XF 2.3 data-color-scheme)
• Fixed banner description text using opacity hack instead of proper secondary color
• Fixed purpose names showing raw phrase keys (deb_consent_purpose_{$purposeId}_name) in banner Layer 2
• Fixed IP address not displayed in dashboard and consent logs (missing Entity getter)
• Fixed date without time in log entries (date() changed to datetime())
• Fixed purpose settings having no effect on banner, consent page or vendor list

New Features:

• Vendor list in Layer 3 with search field and pagination (50 per page)
• IP address column in dashboard recent logs and consent log page
• Full datetime (date + time) in all log views
• Purpose settings now fully functional: disabled purposes are hidden from banner, consent page and vendor list
• Vendor list filtered by enabled purposes (vendors with only disabled purposes are removed)
• Vendor purpose badges filtered to show only enabled purposes

Improvements:

• All links use text color with underline on hover only
• Footer link has 44px min-height on mobile for reliable touch targets
• Google Consent Mode signals restored to 'granted' on every page load when cookie exists
• Banner event listeners always attached regardless of consent state for re-consent flow
• Dynamic purpose rendering via xf:foreach instead of hardcoded HTML
• Purpose names and descriptions resolved via XF phrases for proper translations
• Improved mobile responsive: smaller title, reduced modal padding, vendors stack vertically
• Dark Mode uses correct XF 2.3 selector [data-color-scheme="dark"]

Bug Fixes

• Fixed purpose acceptance rates chart showing empty (per-purpose stats were not recorded during consent actions)
• Fixed "Change Cookie Settings" button on /consent page not opening purpose selection layer
• Fixed settings not persisting after save due to entity cache not being cleared
• Fixed leading comma in purpose badges on logs, dashboard, vendors and consent page (XF foreach $i is 1-based)
• Fixed purpose chart labels showing only numeric IDs instead of readable names

Improvements

• Cookie settings button now opens Layer 2 (purpose selection) instead of revoking consent
• Added retry logic for deferred CMP JavaScript loading on consent page
• Purpose chart shows labeled bars (e.g. "P1: Store/access info")

Bug Fixes:
- Fixed consent log pagination causing "page not found" error when switching pages

Bug Fixes:

• Fixed "unknown getter" errors on consent log page (tc_string, source)
• Fixed log retention setting not accepting values like 365 days (changed step from 30 to 1)
• Fixed "Global Scope (Cross-Site)" toggle not saving when disabled
• Fixed _data/templates.xml not syncing with _output templates

Improvements:
- Improved settings save reliability with better default handling for checkboxes