Can't register without accepting third party cookies

K

Kirby

Well-known member
Affected version
2.2.12
Steps to reproduce
  1. Enable advacned cookie consent
  2. Set CAPTCHA to hCpatcha
  3. As a guest configure cookie preference to only accept essential cookies
  4. Try to register a new account
Expected Result
Registration is still possible (shows an option to consent ReCaptcha), maybe with a notice that if ReCaptcha is not consented registration will have to undergo manual approval (Preferred)
or
A message stating that consent for hCaptcha (only hCpatcha, not all 3rd parties) must be given

Actual Result
Registration is not possible without accepting all 3rd party cookies.
Requesting consent for all kinds of 3rd party cookies (like Google Analytics, Facebook, etc.) is way too broad just for registration) and doesn't seem compliant with GDPR Art. 7 (4).
 
Is it better not to activate this option then? It seems critical that this can prevent visitors from registering! It's already not easy to find visitors who want to take the plunge of registration but if in addition we put a spoke in their wheels...
 
Nicolas FR said:
Is it better not to activate this option then? It seems critical that this can prevent visitors from registering! It's already not easy to find visitors who want to take the plunge of registration but if in addition we put a spoke in their wheels...
Click to expand...
I would say test it in a dev before turning it on in live to make sure you know the impacts. That's how I am proceeding. I upgraded my life this morning but won't turn the cookie features on until I have tested them thoroughly in my dev. And also written some introductory material on them and on cookies to post.
 
Nicolas FR said:
Is it better not to activate this option then?
Click to expand...
You are referring to the cookie consent?
If you have to comply with GDPR or similar laws it is legally required.

But you can use a privacy friendly CAPTCHA (like Question & Answer, this doesn't require Cookies) or no CAPTCHA at all (this would be the most userfriendly option).
 
CF Turnstile does not set any cookies so that’s an option too if you do not wish for users to accept cookies before registering.
 
Chris D said:
CF Turnstile does not set any cookies so that’s an option too if you do not wish for users to accept cookies before registering.
Click to expand...
Turnstile isn't an option either under GDPR as data (the users IP address) might be transferred to the USA.

As the "Privacy Shield" agreement beween the EU and the US has been turned over by EUCJ ruling C-311/18 (and there is no replacement yet) such data transfer requires user consent as per GDPR Art. 6 (1) a - no matter if cookies are used or not.
 
Kirby said:
You are referring to the cookie consent?
Click to expand...
I'm referring to the advanced cookie consent.
If i use the "old" cookie system i'm still legally good isn't it ?

The problem you described comes from the new cookie consent, which is beta, correct ?
 
Thanks.

And so if i understand well if i activate the advanced cookie consent but i set CAPTCHA to another system than hCaptcha this combo will no prevent users to register to my forum if they only accept essentials cookies, right ? I want to be sure to not missing something.
 
Nicolas FR said:
but i set CAPTCHA to another system than hCaptcha this combo will no prevent users to register to my forum if they only accept essentials cookies, right ?
Click to expand...
As pointed out before, you'd need to use
  • No CAPTCHA
  • Question and Answer
  • Text Captcha
  • Turnstile (see previous notes)
for users to be able to register without accepting 3rd party cookies.
 
Last edited:
xenforo.com

Third-party JS states are loaded when third-party cookie consent has not been given

Steps to reproduce Enable advanced cookie consent Create a post with an embedded tweet Start a fresh / clean browser and access the forum homepage but don't interact with the consent layer Open developer console, open Network tab and tick the option to preserve the log Navigate to the post...
xenforo.com xenforo.com
xenforo.com

Not a bug - Google can't index consent protected content

I am not 100% sure, but as far as I can see Google (or any other crawlers) are not able to view / index consent protected content (like embedded videos) if advanced cookie consent is being used: In most cases that I have looked at we can crawl and index the content normally. So waht is...
xenforo.com xenforo.com
xenforo.com

Fixed - 3rd party identifiers for BB Code Media sites

There are a few issues with 3rd party identifiers for BB Code Media Sites: TikTok is missing an identifier Instagram and Facebook share the same identifier meta While it is correct that both services are offered by Meta, they are individual services and it therefore should be possible to allow...
xenforo.com xenforo.com
xenforo.com

Method setupCookieConsent seems inefficient

Method \XF\App::setupCookieConsent() is called whenever cookie consent is being used, for example when displaying an embedded media. This method does quite some work: Instantiates a CAPTCHA Loops through all media sites Loops through active payment providers This seems pointless if cookie...
xenforo.com xenforo.com
xenforo.com

Consent layer gets longer than viewport height

Due to legal requirements we wolud most likely have to make phrase cookie_consent_description a bit longer than the default. Unfortunately if we do that, the layer covers the whole screen on mobile and doesn't even show the action buttons above the fold. This should be changed so the layer...
xenforo.com xenforo.com
xenforo.com

Setting cookies requires manual consent checks

Steps to reproduce Enable advanced cookie consent View a frontend page with a fresh browser Configure consent to not allow optional cookies Create an ad on position Container header with the following code XF.Cookie.set('from_search', 'unconsented-cookie-value'); View another frontend page...
xenforo.com xenforo.com

It's starting to do a lot not for a single feature, right? Ok it's a beta feature and it implies imperfection but we're not talking about just anything but a system that allows you to comply with national and international laws. Or the only way to detect these flaws was to make this feature public? But if you are able to spot them, why aren't XenForo developers? Or do they not have the means to do so? Not enough people, lack of time... The skills for sure they have them.

Personally, I find that worrying.
 
Or maybe also XenForo was pressed for time to comply with privacy laws etc... And so it was put into action a bit in a rush, that would explain it... 🤷‍♂️
 
This is nonsense... sorry, but:

The point is that we now have the situation that there are corresponding laws and that non-compliance can be expensive if you are warned by a lawyer.

So the question is not whether we think the laws are great or not, but whether Xenforo has an interest in continuing to earn money from European customers.
Personally, I also think some points of data protection are exaggerated - but that doesn't change the legal situation.

Likewise, one cannot keep saying that it is only a German problem - yes and no. Our government has largely implemented the EU data protection regulations and in some cases even exceeded them. But that doesn't mean that the situation, which other EU countries have been dealing with much more laxly so far, can't change after all.

At the end of the day, none of this is surprisingly new and certainly easy to implement if you really want to (hello Xenforo developers). I don't think it's a matter of skill. ;)

And I also hope that the problems will still be fixed, after all this feature has only been marked as a beta so far. :)
 
twollert said:
I think so too. Thanks to @Kirby for investigating. (y)

@Chris D: It would be great if all those bugs related to the Advanced Cookie Consent system could be fixed with a Patch for 2.2.12. Any chance?
Click to expand...
No. Of course there won’t be a patch. If the functionality isn’t working to your satisfaction you can just switch it off.

The functionality is also clearly marked as a beta. We’re not going to be breaking our backs and rushing out fixes for beta functionality.

Things will be fixed on a best effort basis IF certain reports are considered to be worthy of fixing at all.
 
The fact is that I don't know anything about the GDPR and consorts at all and therefore I rely mainly on what I can read here on this forum: What I understand is that it's something mandatory and that any website that stores personal data about its users must comply with it. What I understand is that the basic cookie system is not up to standard on XenForo and that probably this feature, currently beta, tends to solve this lack.

So now if we are told that we are not going to break our backs finding solutions to the bugs detected and that therefore, IF I HAVE UNDERSTOOD CORRECTLY, as it stands, this functionality still does not meet the GDPR and equivalent what is it for?? And so using XF 2 are we in rule or not ???

Otherwise, given the tone of the response, if it annoys the XenForo developers that their customers ask them to account for their paid products, that they hire someone for customer relations... It's enough that you almost never communicate, but if when you deign to answer us it's to tell us it's like that and that's it if you're not happy it's the same it gets serious!
 
Nicolas FR said:
So now if we are told that we are not going to break our backs finding solutions to the bugs detected and that therefore, IF I HAVE UNDERSTOOD CORRECTLY, as it stands, this functionality still does not meet the GDPR and equivalent what is it for?? And so using XF 2 are we in rule or not ???
Click to expand...
You’re misrepresenting what we’re discussing here.

We were asked to push out a 2.2.12 Patch 1 in order to fix this issue and we’re just not going to do that when a) this functionality is in beta b) you do not have to use the functionality and you can change the option to “simple” to revert back to the same functionality as has existed for several years and c) patches take time to deploy and test on top of fixing any issues. Any issues we confirm to be issues will be fixed but will be fixed in future third point releases and not in emergency patch releases.

I don’t think that is unreasonable.
 

Similar threads

RobinHood
Fixed Accepting third party cookies for media embed (YouTube) when logged out requires page refresh to view media content
Replies
4
Views
180
Lee
Lee
⭐ Alex ⭐
  • Suggestion Suggestion
Lack of interest Accept Third Party Cookies - Show which "cookie"
Replies
0
Views
500
⭐ Alex ⭐
⭐ Alex ⭐
Marcus
Server issue Can't register without outcommenting a ZEND file
Replies
14
Views
1K
Mike
Mike
Back
Top Bottom