Third-party JS states are loaded when third-party cookie consent has not been given

[Kirby]

Affected version

2.2.12

Steps to reproduce

1. Enable advanced cookie consent
2. Create a post with an embedded tweet
3. Start a fresh / clean browser and access the forum homepage but don't interact with the consent layer
4. Open developer console, open Network tab and tick the option to preserve the log
5. Navigate to the post created in step 2)

Expected Result
A message is being shown that 3rd party consent is required to view the embedded content and nothing is loaded from Twitter

Actual Result
A message is being shown that 3rd party consent is required to view the embedded content but JavaScript is loaded from *.twitter.com



As can be seen in the screenshot, the Twitter JavaScript (although no Twitter content being shown on the screen!) even does send pings / tracking information.

 

[Kirby]

This also affects

• Facebook
• Imgur
• Instagram
• Pinterest
• and probably any oembed-compatible media site

A possible solution could be to replace code like

<xf:page option="jsState.instagram" value="{{ true }}" />

<div class="bbMediaJustifier" data-media-site-id="{$siteId}" data-media-key="{$id}">

with smth. like

<div class="bbMediaJustifier" data-xf-init="jsstate" data-jsstate="instagram" data-media-site-id="{$siteId}" data-media-key="{$id}">

This way the required external JavaScript libs would only be loaed when the actual embed code is in DOM

 

[foron]

@Kirby: Well noticed and an severe bug.

Thats a huge problem and potential legal risk. Without user consent a forum owner is not allowed to embedded third-party requests, regardless if cookies are set or not. Thats because by requesting external resources the IP-address is send to the third party server which is forbitten without user consent in the EU.

This should be fixed as soon as possible.