Setting cookies requires manual consent checks


Well-known member
Affected version
Steps to reproduce
  1. Enable advanced cookie consent
  2. View a frontend page with a fresh browser
  3. Configure consent to not allow optional cookies
  4. Create an ad on position Container header with the following code
  5. PHP:
    XF.Cookie.set('from_search', 'unconsented-cookie-value');
  6. View another frontend page
  7. Check cookies
Expected Result
No cookie xf_from_search is present

Actual Result
Cookie xf_from_search is present nad has value unconsented-cookie-value

Suggested Fix
Cookie consent control should be mandatory on both client and server (for every cookie that is set/read via XF framework methods), not an Opt-In (for 3rd party code).
To keep backwards compatibility it might make sense to add an option to still allow unclassified cookies.
Top Bottom