Cookie Consent, GDPR, and Discourse

:books: This is an explanation guide for describing how the technical aspects of GDPR and Cookie Consent operate within Discourse, along with options for Cookie Consent management and Content Manager Services.

:warning: This document is not a comprehensive guide regarding all the details that GDPR involves. Discourse does not intend this guide to be used as legal advice to any users or customers. Discourse cannot determine legal compliance with GDPR or any other Cookie Consent Laws for your individual situation or use case.

Cookies in Discourse

To understand how Discourse uses cookies, check the cookies section of our privacy notice.

Essential Cookies

By default, Discourse only sets cookies that are necessary for its basic functionality, which is to enable users to communicate with each other, and the world, by publishing content on the internet.

Third-Party Cookies

By default, Discourse doesn’t use cookies for analytics, nor does it use any cross-site or ad targeting cookies. However, site admins can choose to add other cookies to their Discourse site (e.g. google analytics, ad networks, tracking pixels, etc).

If third-party scripts are added to Discourse that introduce cookies, it’s the responsibility of the site’s administrative team to find a GDPR compliant cookie management solution, or address cookies that may require consent under GDPR.

Cookie Consent Banners

If you want to integrate a cookie consent banner into your Discourse instance you can follow the guides we’ve crafted for some of the most popular ones below.

:loudspeaker: Referencing a third-party JS script on your site essentially gives that third-party full admin access to the site, which poses a potential security risk.

:warning: If you plan on using on of these methods for managing Cookie Consent, you will need determine if they work in a way that fits your needs, and the legal requirements for your site.

Osano

Go to Plans & Pricing | Osano, choose a plan and create an account.

After creating the account, you will receive an email with temporary credentials. Log in using those credentials, then you will be prompted to set a new password.

You will be taken to the Osano Dashboard. Click on Consent Management, and add a new consent configuration.

Fill in a Name for the manager, the URL of the site you wish to track, and the URL of your site’s cookie policy. By default, Discourse’s cookie policy can be found in the Privacy page at https://<your-site>/privacy

After you click on Create configuration, a pop-up will show you the code for the banner. You can add it now to Discourse, or wait for later. The banner won’t be displayed to users until you publish it from the Osano dashboard.

You can add the script to Discourse through a theme component or by modifying your theme directly.

To add the banner to Discourse, go to the admin dashboard, Customize → Themes → Components and click on Install.

Click on Add CSS/HTML and add the code to the Head section.

If the code was added successfully to your forum, you’ll see the status of your manager now says Live but Your script is not yet active. The manager is also in Mode Discovery/Listener, this is good for now. While the manager is in this mode, the banner will not be displayed in your site.

Go back to the Osano dashboard. In the next sections, you can customize the aspects of your consent banner. By clicking on the map, you can see how the banner will be displayed in different countries.

Osano automatically detects the country a user is visiting the site from, and adjusts the way the banner looks depending on the regional privacy laws.

For example, connecting from Venezuela the cookie banner is simple, and automatically disappears after certain period of time:

But from the Netherlands, an EU country, the banner has more options

There is also an option to add a cookie widget that displays more details about the cookies.

After your customizations are ready, click on Save changes, then Publish and finally Clear & Publish.

Go to the Scripts section and classify any script detected on your site. For example, in my Discourse site, only CDN URLs were detected, which are classified as Essential. Any other third party service you may have running on your site, needs to be classified accordingly.

The same applies for any cookie detected. For example, if you have Google Analytics in your site, it will detect the _ga cookies, which should be classified as Analytics.

It may take a while for Osano to detect the cookies and scripts running on your site, you may also need to navigate through the different sections on your forum to make sure the Osano snippet is run everywhere.

The cookies and scripts detected may change over time, you’ll receive an email notification from Osano asking you to update your classification like so: Configuration 'Cookie test' is running unclassified scripts, iframes and/or cookies.

Once the classification is ready, change the mode to Permissive (recommended) or Strict, and publish the configuration. The banner will now be visible to your users :tada:

image

Learn more about cookie configuration modes here: https://docs.osano.com/compliance-modes-listener-permissive-strict

If you have CSP enabled in your forum (the content security policy site setting is On by default), make sure to add the following URLs to the content security policy script src site setting.

https://consent.api.osano.com
https://tattle.api.osano.com
https://cmp.osano.com
https://disclosure.api.osano.com

Since Osano uses web workers, we also need to add blob: to the worker-src directive. This has to be done through a custom theme, compoenent, please refer to the ‘Extending the Default CSP’ section in Mitigate XSS Attacks with Content Security Policy.

In summary, you need to create an empty theme component, with the following parameters in the settings.yml file:

# settings.yml
extend_content_security_policy:
  type: list
  default: "worker_src: blob:"

:loudspeaker: If your banner is not being displayed, please refer to the Debugging CSP section.

One Trust

Go to Cookie Consent | Products | OneTrust, you can enroll for free for your first domain, or start a paid subscription from the pricing page.

You will receive an email welcoming you to OneTrust, with a link to log into the platform, it will guide you though your account setup.

You will be taken to https://app.onetrust.com/welcome. In the Avalaible Apps or My Apps sections, choose the Cookie Compliance one.

Select Add Website.

Add your website URL.

Start the scan and then select your audience(s): the privacy frameworks you need to be compliant with (like GDPR).

In the next sections, you can customize the aspect of your banner and add your own branding. Save your changes and publish them once you are ready.

To add the banner to Discourse, go to the Integration section, in the side menu, and select your site from the list.

Copy the Production CDN script, from the Production Scripts,

You can add the script to Discourse through a theme component or by modifying your theme directly.

Go to the admin dashboard, Customize → Themes → Components and click on Install.

Click on Add CSS/HTML and add the code you copied to the Head section.

If you have CSP enabled in your forum (the content security policy site setting is On by default), make sure to add the following URLs to the content security policy script src site setting.

https://cdn.cookielaw.org
https://geolocation.onetrust.com
https://cdn-ukwest.onetrust.com

And that’s it! The banner should look something like:

:loudspeaker: If your banner is not being displayed, please refer to the Debugging CSP section.

ConsentManager

Go to Free test now! - ConsentManager GDPR solution and create an account. Follow the wizard to set up the consent manager.

On step 4, before clicking the Continue button, scroll down the page. Below the “Choose your system” section, you’ll see the a section called “Setup using copy & paste.” Choose the Semi-Automatic blocking tab, and copy the code in that section.

You can add the script to Discourse through a theme component or by modifying your theme directly.

Go to the admin dashboard, Customize → Themes → Components and click on Install.

Click on Add CSS/HTML and add the code you copied to the Body section.

If you have CSP enabled in your forum (the content security policy site setting is On by default), make sure to add the following URLs to the content security policy script src site setting.

https://cdn.consentmanager.net
https://a.delivery.consentmanager.net
https://delivery.consentmanager.net

And that’s it! The banner should look something like:

:loudspeaker: If your banner is not being displayed, please refer to the Debugging CSP section.

Cookie Consent Banner Theme Component

This theme component will allow you to add a customizable Cookie Consent banner to your forum. It simply provides an easy way for Discourse admins to make use of the open source Cookie Consent banner by Insites

For instructions on installing Discourse theme components, see: Install a theme or theme component

Debugging CSP

If the cookie consent banner is not being displayed in your site, and you have CSP enabled (through the content security policy site setting), check your browser’s console for any CSP errors.

For example, in Firefox, you’d see an error like this:

To fix it, you’d need to add the URL that causing the error to the content security policy script src site setting.

Other Content Manager Service Options

Beyond the above mentioned options for cookie management, other options for consent manager services that may work with Discourse include:

14 Likes