New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add single cookie consent API #3854
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 tasks
andysellick
force-pushed
the
single-consent-api
branch
from
February 6, 2024 16:09
b67a64b
to
8040e72
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 6, 2024 16:12
8040e72
to
42272bd
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 7, 2024 09:56
42272bd
to
c68acb8
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 7, 2024 10:03
c68acb8
to
a2b5eaf
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 7, 2024 17:29
f433fbe
to
57cd7d2
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 12:53
57cd7d2
to
cc0f2f5
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 13:09
cc0f2f5
to
08ba963
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 13:12
08ba963
to
da19de2
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 13:13
da19de2
to
f04ce80
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 13:24
f04ce80
to
b9460c7
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 14:08
b9460c7
to
2f9cab2
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 15:36
2f9cab2
to
ac17b82
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
February 8, 2024 15:43
ac17b82
to
5a9d77f
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 5, 2024 14:42
3d97017
to
5820482
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 5, 2024 14:47
5820482
to
c6d89cb
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 5, 2024 14:55
caa16e7
to
bde80bc
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 5, 2024 15:21
bde80bc
to
a402430
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 6, 2024 11:54
a402430
to
679a976
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 6, 2024 11:55
679a976
to
7a6ca88
Compare
andysellick
force-pushed
the
single-consent-api
branch
from
March 6, 2024 12:06
7a6ca88
to
632a610
Compare
- adds code to include and manage our use of the single consent API code - init is called by the cookie banner code on every page, which determines which API endpoint to use (staging or prod) and creates the GovSingleConsent object - useConsentApi is called across the code to check whether or not to use the consent API, this will be set in static - the default callback for the consent object checks the returned response and if the user has consented, triggers the cookie-consent event, which will initialise analytics and hide the cookie banner - setPreferences allows user consent to be set through the API - use load analytics environment list for consent API URL
- update the cookie banner component JS to use the single consent API code - stores an internal variable to check whether or not to use the consent API - if false, behaviour should be as normal - if true, should yield setting of consent cookies entirely to the consent API code - update cookie banner tests accordingly
- updates the JavaScript for the cookie settings page to use the single consent API code - stores an internal variable to check whether or not to use the consent API - if false, behaviour should be as normal - if true, should yield setting of consent cookies entirely to the consent API code - note that this code sends its own callback function for the consent API, which sets the initial form values on page load, this means that any delay in the API call will result in these fields being unfilled until it responds
- previously the consent cookie was always set (to reject all cookies) prior to user choice - now that we're not doing that, the code that turns links to Youtube videos in govspeak content into embedded videos was checking for the consent cookie, not finding it, and defaulting to... true. - this meant that videos were appearing on a page before users had consented to cookies - setting the default value to false seems to be the simplest way to fix this. Videos still initialise automatically as before once cookies are consented to
- now that the domain config contains information about more than just analytics, it feels like it should be separated out for clarity - updated docs and tests accordingly
andysellick
force-pushed
the
single-consent-api
branch
from
March 8, 2024 10:01
632a610
to
7b5f751
Compare
andysellick
changed the title
[DO NOT MERGE] Add single cookie consent API
Add single cookie consent API
Mar 8, 2024
AshGDS
approved these changes
Mar 8, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work 👍
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What / why
Adds code for the single consent cookie API to allow cookie preferences to be shared across GOV.UK.
Supersedes #3829
How this works
The single consent API should take control of the setting of cookies relating to cookie consent. Fortunately it sets exactly the same cookies as we do now:
cookies_preferences_set
indicating that a user preference has been madecookies_policy
showing the preferences chosen (set by default to no consent)Testing scenarios
There are two main things to test - when the consent API is enabled, and when it is not. When it is not enabled (by default) everything should work as normal. This means:
cookies_policy
to reject all but essential cookies, and no other cookiescookies_policy
cookie, and thecookies_preferences_set
cookie should also be set/help/cookies
should reflect the contents of thecookies_policy
cookie, and allow it to be changedWhen the consent API is enabled, the behaviour should be similar but the consent API code should set these cookies, not our code. Additionally:
gov_singleconsent_uid
cookie, containing the users randomly generated anonymous IDreject
Testing locally
Check out this branch and run
yarn install
to get the single consent API code.To make testing easier and keep the gem compatible with applications that do not need the single consent API, it is disabled by default. It is enabled by setting
window.GOVUK.useSingleConsentApi = true
. For the purposes of testing this can be set in your localstatic
.You'll need to run
frontend
(it renders the cookies page) running locally through docker with a localstatic
, both pointed at this branch of the components gem. You'll need to modifyconfig/initializers/content_security_policy.rb
infrontend
so that the CSP allows JS to make requests to the consent API. The staging URL has changed during development, is currentlyhttps://gds-single-consent-staging.app/
.You can test the scenario of arriving at GOV.UK having set cookie preferences on another site by either:
https://www.gov.uk?gov_singleconsent_uid=<id>
. You can get the value forid
by from thegov_singleconsent_uid
cookie (after it has been successfully set)gov_singleconsent_uid
cookie, then delete all other cookies (this wouldn't happen in real life, but it's an easy way of simulating the consent api already being initialised)To test link decoration going from GOV.UK to a participating site you can use the consent API staging site https://gds-single-consent-staging.app/ (this is why the staging URL is both the API interface and an actual website). Do the following:
frontend
to have a link to the staging sitenode_modules/govuk-single-consent/dist/singleconsent.iife.js
and modify thefunction (origins)
code around line 357 to include the following line before settingaddUIDtoCrossOriginLinks
:Cookies
link to change your preferences, then go back to your local site to confirm that changing preferences works both ways.Cumulative Layout Shift impact
Broadly - no impact. I suspect this is mostly due to recent changes to hide the banner by default and when JS is disabled.
All tests run locally to account for differences in local and production, however testable scores on production are the same. Testing carried out locally on frontend, homepage.
Desktop
Mobile
Visual Changes
None.
Trello card: https://trello.com/c/dmlTAzKB/140-implement-single-consent-api