8

The challenge proposed to me as to create a widget to apply in other sites that makes a website compliant with the cookie law[1].

Can I do this without changing server code?

I mean, if there's code on server-side that writes an affiliate cookie to the response and my JavaScript widget deletes it after on window.load event: will the site still be cookie law compliant?

Then comes the Google Analytics and share buttons cookies. How would I stop those scripts and iframes from being executed in JavaScript?

[1] The Information Commissioner's Office (ICO) : New ICO Cookie Law

Fabio Milheiro
  • 185
  • 4
  • 2
    Could you explain what do you presume by `cookie law` ? – bbaja42 Apr 26 '12 at 10:47
  • Probably talking about an EU directive (whose identity I forget, and care should be taken since directives are enacted by incorporation into member state law and there can be a significant amount of extra complexity added at that stage). – Donal Fellows Apr 26 '12 at 10:52
  • 1
    I'm talking about this one: http://programmers.stackexchange.com/questions/78176/how-do-i-comply-with-the-eu-cookie-directive – Fabio Milheiro Apr 26 '12 at 10:54

2 Answers2

1

Your solution would probably end up being treated as malware

From your description, it appears that you want to create a JavaScript library that a website can include on their pages that will guarantee their compliance with the "cookie law".

Let's side-step the technical issues surrounding the actual implementation of this law when it comes to the location of the user, the client (remote session anyone?), the server and the owner of the web application running on the server. And, let's constrain further and only consider the UK guidance offered around the EU directive.

From the Information Commissioner's Office:

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

This implies that your widget will have to act as the clearing house for this user consent. If you do not have control over the server code then your software will have to block the cookies emanating from the server until such consent is obtained. This means that your software will be interfering with third-party libraries (your Google Analytics and Facebook Likes etc).

Such interference, no matter how well-meant, is very likely to degrade the user experience and be looked upon extremely unfavourably by the owners of the third-party libraries. Thus it will be treated as malware.

I would think again before going down this road.

Gary
  • 24,420
  • 9
  • 63
  • 108
  • Thanks @Gary Rowe. I agree that we shouldn't have a widget that simply clears everything in the browser until the user complies but that brings me to a point. I only load the scripts that will install cookies in the browser after the user has consented cookies. BUT after the user accepts, he/she may remove consent. What happens then? The widget I created removes some google cookies. Would this fall in the category of malware too? – Fabio Milheiro May 03 '12 at 10:08
  • 1
    @FabioMilheiro The difficulty here is that you're writing software that is sabotaging the operation of another library from a reputable source (contrast this with anti-virus software for example). This is a serious problem with the technical implementation of the law as it stands (who determines what is reputable?). However, your solution of removing those cookies after consent is removed is reasonable because it automates what a diligent user would do manually. – Gary May 03 '12 at 10:22
  • [polemic] So is the "Cookie Law" sabotage because it is "interfering with third-party libraries" and "is very likely to degrade the user experience"? Does this mean that 3d party cookies set without users permission are more important than following the law? [/polemic] Technically the browser sandbox only allows deleting cookies from the same domain where the js is loaded from. So loading this js from `www.somedomain.com` can not delete cookies from `facebook` or `google`. – k3b Sep 23 '15 at 13:30
1

One thing to keep in mind is that your script may be rendered useless if the server sets the HttpOnly flag when the cookie is created.

http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie

There may also be domain origin issues for accessing/manipulating cookies set from other domains due to security (XSS). I'm not 100% on this as I rarely use javascript when it comes to cookies for the same purpose of minimizing exposure to XSS.

While your concept sounds like a great idea, I suggest looking into these possible issues further before investing too much of your time into this project.

chetpot
  • 11
  • 1
  • 1
    You're welcome Fabio, the only thing that I can think of that would be resistant to these possible obstacles would be a browser extension. Although from your origional post, it seems that a browser extension might defeat the purpose. – chetpot May 20 '12 at 14:49