-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Double click solution for external sources (iframes as well as embeddings) #345
Comments
Hm, do we want to support one-time consent? As in "click to load iframe and on next visit it shows the blocker again"? |
Remembering it per room would be a big comfort win, why wouldn't we want that? Remembering per domain would be even nicer but probably raises issues because different rooms might have different banner texts even if they embed the same domain |
I think one one-time-consent should be per room, but we also need one-time-consent for YouTube-embeddings, for instance in an expo-header, in the middle of some textpage, when we use embedded external ressources. This kind of consent could be domain-wise (do you want to allow YouTube.org, ... ) and then all videos from YouTube should work. :) |
With "one-time" I mean the difference between "I am allowing this element and when I leave and come back I want the consent blocker to be shown again" vs "I am allowing this element and venueless will remember this". The second one is a more common expectation for "normal" users, but I'm pretty sure some overly privacy aware people will want the first one. Consent-blocking arbitrary iframes or video elements inside pages is another can of worms entirely and much more complex to build because of all the ways those youtube iframes can land in there. (And don't get me started on iframes containing youtube videos themselves). |
As far as I am aware, it is perfectly fine to store that someone consented and not ask them every time, at least if the question is clearly phrased. |
I talked to our privacy lawyer about this. If we just have a "Yes" button, we are allowed to "remember" the agreement for the duration of a "session" (whatever that is, likely a browser session similar to a cookie without expiry date). If we give the user an explicit choice between a "Yes" button and and a "Yes, always" button like @saschafoerster suggestes, it's fine saving the agreement for a longer timeframe if the user clicks the latter button. |
I had a look if I could build something that would intercept any iframe that's created anywhere in venueless, which kinda worked, but I could not prevent freshly created iframes from starting a network request to their |
I would be very happy if iFrames and Embeddings could only be loaded, when a double click solution was presented to inform the user, that external resources will be loaded. A very good implementation (but from Wordpress) is the plugin "Embed privacy":
https://de.wordpress.org/plugins/embed-privacy/
They hide the content with a banner, that is informative (and can be changed to show more details), it shows a link to the data protection informations and it has a button to allow this single external resource or all external ressources of the same kind.
Participants usually don't really know that external ressources are loaded and maybe data is transferred somewhere else, than they thought. Also there is no cookie banner yet, so organizers can only inform them when using a ticketing solution and informing there. But still it would be great to have the option to participate without getting YouTube-cookies for instance, when there is an embedding.
The text was updated successfully, but these errors were encountered: