Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie consent #271

Closed
twinkarma opened this issue Jan 9, 2023 · 3 comments
Closed

Cookie consent #271

twinkarma opened this issue Jan 9, 2023 · 3 comments
Assignees
@twinkarma
Milestone
Release 2.0

Comments

@twinkarma
Copy link
Collaborator

twinkarma commented Jan 9, 2023
edited
Loading

Need to implement some way to notify the user for the usage of cookies

  • Currently CSRF is sent with first request
@twinkarma twinkarma changed the title Cookie banner Cookie consent Jan 9, 2023
@twinkarma twinkarma self-assigned this Feb 9, 2023
@davidwilby
Copy link
Contributor

From discussion on #266

Also cookies - we need to audit what cookies we set and whether we need consent from the user. I guess the Django session cookie would be deemed "essential", but if we use third party analytics like Google then that would need pre-consent.

Also if a particular annotation task involves embedding content from elsewhere (like a Twitter widget or YouTube video iframe) then that third party content may set its own cookies. This isn't something we can know in advance but I guess such cookies would only be set for managers or annotators of the project in question, so we just need to make a general reference to the issue in the site-level policy (since any site-level admin user can get to the config screen of any project, and will have their cookies set by the preview logic), and say it's up to the project managers to gain any necessary consents from their annotators as part of the process of recruiting them to a particular project, e.g. on the participant info sheet.

@twinkarma
Copy link
Collaborator Author

Was digging around on how to have a no-cookie csrf and found this:

https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies+and+similar+technologies

Definitely should have checked the law first. It looks like there's no need for consent for cookies used for things like user input, authentication and security. The csrf token definitely falls into user input and security so it's a non-issue here. The only other one we use is sessionid and falls into the authentication category.

What I'll do is put together a "Cookies" page that outlines the cookie that we use for the site but it looks like there's no explicit need for consent popup for Teamware it its current state and no need to remove the CSRF cookie from the backend.

@twinkarma twinkarma mentioned this issue Feb 24, 2023
Merged
@twinkarma
Copy link
Collaborator Author

I was checking to make sure if we need a popup banner and according UK gov website you don't need a cookies banner if you're only using essential cookies, we just need to have a cookies page:

https://design-system.service.gov.uk/components/cookie-banner/

@davidwilby davidwilby added this to the Release 2.0 milestone Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twinkarma twinkarma

Labels
None yet
Projects
None yet
Milestone
Release 2.0
Development

No branches or pull requests
2 participants
@twinkarma @davidwilby