headers
Phil Weir | 9 Jun 2012 09:26
Picon

[RCD] cookie opt-in

Hi,

An EU law requiring websites to obtain opt-in consent from website users
before any non-essential cookies back be placed on their computer recently
came into force in the UK. Roundcube uses cookies for things like remember
the position of the splitters on the mail screen. This isn't essential to
the operation of the site and so consent must be sort from the user before
these cookies can be saved on their computer.

I have created a very simple plugin which displays a banner to the user
asking them if they wish to use cookies or not and if they choose not then
it disables the JavaScript cookie methods. It also adds a new option in the
general settings page to allow the user to change their cookie settings any
time they want.

This plugin blocks cookies created via JavaScript. The only JavaScript
cookie not blocked by this plugin is the one created by googiespell since
that uses slight different methods of the rest of RC. These are the only
cookies in the RC core which appear to be non-essential. There is one
session cookie created in the PHP as part of the security that is essential
and so exempt from opt-in.

This is only a first go at a cookie opt-in system for RC and I'm sure it's
not perfect, any feedback welcome. I am wondering it might be better to
simply give an "accept and close" option rather than the choice of accepting
or blocking.

Phil
(Continue reading)

Permalink | Reply |
headers
Peter Overtoom | 11 Jun 2012 09:25
Picon
Favicon

Re: [RCD] cookie opt-in

The "Cookie Law" states that functional cookies are allowed at any time. That means that you can save website settings and session information to keep track of logins. It also means that when you use for example, Google Analytics or some add provider, you do need to ask permission to place your cookies.
Also, the law doesn't actually say anything about cookies, it talks about "storing information on the client computer". That also means that all other forms of cookies (flash, html5 storage e.d.) are covered by that law.



On Sat, Jun 9, 2012 at 9:26 AM, Phil Weir <roundcube <at> tehinterweb.co.uk> wrote:
Hi,

An EU law requiring websites to obtain opt-in consent from website users
before any non-essential cookies back be placed on their computer recently
came into force in the UK. Roundcube uses cookies for things like remember
the position of the splitters on the mail screen. This isn't essential to
the operation of the site and so consent must be sort from the user before
these cookies can be saved on their computer.

I have created a very simple plugin which displays a banner to the user
asking them if they wish to use cookies or not and if they choose not then
it disables the JavaScript cookie methods. It also adds a new option in the
general settings page to allow the user to change their cookie settings any
time they want.

This plugin blocks cookies created via JavaScript. The only JavaScript
cookie not blocked by this plugin is the one created by googiespell since
that uses slight different methods of the rest of RC. These are the only
cookies in the RC core which appear to be non-essential. There is one
session cookie created in the PHP as part of the security that is essential
and so exempt from opt-in.

This is only a first go at a cookie opt-in system for RC and I'm sure it's
not perfect, any feedback welcome. I am wondering it might be better to
simply give an "accept and close" option rather than the choice of accepting
or blocking.

Phil



_______________________________________________
Roundcube Development discussion mailing list
dev <at> lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/dev

_______________________________________________
Roundcube Development discussion mailing list
dev <at> lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/dev
Permalink | Reply |
headers
Phil Weir | 11 Jun 2012 14:01
Picon

Re: [RCD] cookie opt-in

On 11.06.2012 08:25, Peter Overtoom wrote:
> The "Cookie Law" states that functional cookies are allowed at any
> time.

As I understand it, the rule is that cookies which are essential for 
the website to work. In roundcube's case cookies like the ones which 
store the position of the splitters on the mail, address book and 
settings screens are not essential for the website to work and so 
strictly speaking permission is required for these.

I decided that trying to make something which tries to disable these 
non essential cookies is asking for trouble. Apart from the fact that 
googiespell and tinymce do cookies their own way there is also plugins 
and other skins which might also write their own cookies. So a safer 
solution is just to tell the user that cookies are being created and 
asking them to acknowledge that they have seen the message by pressing 
accept. Then none of the behaviour of roundcube needs to be changed in 
any way. The latest version of the plugin is here 
https://github.com/JohnDoh/Roundcube-Plugin-Cookie-Opt-In

Phil
_______________________________________________
Roundcube Development discussion mailing list
dev <at> lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/dev
Permalink | Reply |

Gmane