This is an explanation guide for describing how the technical aspects of GDPR and Cookie Consent operate within Discourse, along with options for Cookie Consent management and Content Manager Services.
This document is not a comprehensive guide regarding all the details that GDPR involves. Discourse does not intend this guide to be used as legal advice to any users or customers. Discourse cannot determine legal compliance with GDPR or any other Cookie Consent Laws for your individual situation or use case.
Cookies in Discourse
To understand how Discourse uses cookies, check the cookies section of our privacy notice.
Essential Cookies
By default, Discourse only sets cookies that are necessary for its basic functionality, which is to enable users to communicate with each other, and the world, by publishing content on the internet.
Third-Party Cookies
By default, Discourse doesn’t use cookies for analytics, nor does it use any cross-site or ad targeting cookies. However, site admins can choose to add other cookies to their Discourse site (e.g. google analytics, ad networks, tracking pixels, etc).
If third-party scripts are added to Discourse that introduce cookies, it’s the responsibility of the site’s administrative team to find a GDPR compliant cookie management solution, or address cookies that may require consent under GDPR.
Cookie Consent Banners
If you want to integrate a cookie consent banner into your Discourse instance you can follow the guides we’ve crafted for some of the most popular ones below.
Referencing a third-party JS script on your site essentially gives that third-party full admin access to the site, which poses a potential security risk.
If you plan on using on of these methods for managing Cookie Consent, you will need determine if they work in a way that fits your needs, and the legal requirements for your site.
Osano
Go to Plans & Pricing | Osano, choose a plan and create an account.
After creating the account, you will receive an email with temporary credentials. Log in using those credentials, then you will be prompted to set a new password.
You will be taken to the Osano Dashboard. Click on Consent Management, and add a new consent configuration.
Fill in a Name for the manager, the URL of the site you wish to track, and the URL of your site’s cookie policy. By default, Discourse’s cookie policy can be found in the Privacy page at https://<your-site>/privacy
After you click on Create configuration
, a pop-up will show you the code for the banner. You can add it now to Discourse, or wait for later. The banner won’t be displayed to users until you publish it from the Osano dashboard.
You can add the script to Discourse through a theme component or by modifying your theme directly.
To add the banner to Discourse, go to the admin dashboard, Customize → Themes → Components and click on Install.
Click on Add CSS/HTML and add the code to the Head section.
If the code was added successfully to your forum, you’ll see the status of your manager now says Live
but Your script is not yet active
. The manager is also in Mode Discovery/Listener
, this is good for now. While the manager is in this mode, the banner will not be displayed in your site.
Go back to the Osano dashboard. In the next sections, you can customize the aspects of your consent banner. By clicking on the map, you can see how the banner will be displayed in different countries.
Osano automatically detects the country a user is visiting the site from, and adjusts the way the banner looks depending on the regional privacy laws.
For example, connecting from Venezuela the cookie banner is simple, and automatically disappears after certain period of time:
But from the Netherlands, an EU country, the banner has more options
There is also an option to add a cookie widget that displays more details about the cookies.
After your customizations are ready, click on Save changes
, then Publish
and finally Clear & Publish
.
Go to the Scripts section and classify any script detected on your site. For example, in my Discourse site, only CDN URLs were detected, which are classified as Essential
. Any other third party service you may have running on your site, needs to be classified accordingly.
The same applies for any cookie detected. For example, if you have Google Analytics in your site, it will detect the _ga
cookies, which should be classified as Analytics
.
It may take a while for Osano to detect the cookies and scripts running on your site, you may also need to navigate through the different sections on your forum to make sure the Osano snippet is run everywhere.
The cookies and scripts detected may change over time, you’ll receive an email notification from Osano asking you to update your classification like so:
Configuration 'Cookie test' is running unclassified scripts, iframes and/or cookies.
Once the classification is ready, change the mode to Permissive (recommended) or Strict, and publish the configuration. The banner will now be visible to your users
Learn more about cookie configuration modes here: https://docs.osano.com/compliance-modes-listener-permissive-strict
If you have CSP enabled in your forum (the content security policy
site setting is On by default), make sure to add the following URLs to the content security policy script src
site setting.
https://consent.api.osano.com
https://tattle.api.osano.com
https://cmp.osano.com
https://disclosure.api.osano.com
Since Osano uses web workers, we also need to add blob:
to the worker-src
directive. This has to be done through a custom theme, compoenent, please refer to the ‘Extending the Default CSP’ section in Mitigate XSS Attacks with Content Security Policy.
In summary, you need to create an empty theme component, with the following parameters in the settings.yml
file:
# settings.yml
extend_content_security_policy:
type: list
default: "worker_src: blob:"
If your banner is not being displayed, please refer to the Debugging CSP section.
One Trust
Go to Cookie Consent | Products | OneTrust, you can enroll for free for your first domain, or start a paid subscription from the pricing page.
You will receive an email welcoming you to OneTrust, with a link to log into the platform, it will guide you though your account setup.
You will be taken to https://app.onetrust.com/welcome. In the Avalaible Apps
or My Apps
sections, choose the Cookie Compliance
one.
Select Add Website
.
Add your website URL.
Start the scan and then select your audience(s): the privacy frameworks you need to be compliant with (like GDPR).
In the next sections, you can customize the aspect of your banner and add your own branding. Save your changes and publish them once you are ready.
To add the banner to Discourse, go to the Integration
section, in the side menu, and select your site from the list.
Copy the Production CDN
script, from the Production Scripts
,
You can add the script to Discourse through a theme component or by modifying your theme directly.
Go to the admin dashboard, Customize → Themes → Components and click on Install.
Click on Add CSS/HTML and add the code you copied to the Head section.
If you have CSP enabled in your forum (the content security policy
site setting is On by default), make sure to add the following URLs to the content security policy script src
site setting.
https://cdn.cookielaw.org
https://geolocation.onetrust.com
https://cdn-ukwest.onetrust.com
And that’s it! The banner should look something like:
If your banner is not being displayed, please refer to the Debugging CSP section.
ConsentManager
Go to Free test now! - ConsentManager GDPR solution and create an account. Follow the wizard to set up the consent manager.
On step 4, before clicking the Continue button, scroll down the page. Below the “Choose your system” section, you’ll see the a section called “Setup using copy & paste.” Choose the Semi-Automatic blocking
tab, and copy the code in that section.
You can add the script to Discourse through a theme component or by modifying your theme directly.
Go to the admin dashboard, Customize → Themes → Components and click on Install.
Click on Add CSS/HTML and add the code you copied to the Body section.
If you have CSP enabled in your forum (the content security policy
site setting is On by default), make sure to add the following URLs to the content security policy script src
site setting.
https://cdn.consentmanager.net
https://a.delivery.consentmanager.net
https://delivery.consentmanager.net
And that’s it! The banner should look something like:
If your banner is not being displayed, please refer to the Debugging CSP section.
Cookie Consent Banner Theme Component
This theme component will allow you to add a customizable Cookie Consent banner to your forum. It simply provides an easy way for Discourse admins to make use of the open source Cookie Consent banner by Insites
For instructions on installing Discourse theme components, see: Installing a theme or theme component
Debugging CSP
If the cookie consent banner is not being displayed in your site, and you have CSP enabled (through the content security policy
site setting), check your browser’s console for any CSP errors.
For example, in Firefox, you’d see an error like this:
To fix it, you’d need to add the URL that causing the error to the content security policy script src
site setting.
Other Content Manager Service Options
Beyond the above mentioned options for cookie management, other options for consent manager services that may work with Discourse include:
Cookie Policy
This guide explains how to add the Cookie Policy from different vendors to the /privacy page on Discourse.
One Trust
Note: You can read the steps on how to setup a OneTrust account and creating a theme component in the above section.
-
Enable SPA support on your OneTrust account by following the instructions described here.
-
Add the following two blocks of code one below the other, to the
Head
section of the theme component. -
Note: The two functions
clearDup
andreloadOTBanner
are taken from this page. Do make sure to use those. The version of those functions in the below code is just a sample and may be outdated at the time of reading this.<script type="text/x-handlebars" data-template-name="/connectors/below-static/add-cookie-policy"> <div id="ot-sdk-cookie-policy"></div> </script>
<script type="text/discourse-plugin" version="0.10.0"> //SHOULD BE USED ONLY ON COOKIE POLICY. TRIGGER FUNCTION BELOW TO REMOVE DUPLICATE CATEGORIES // script taken from: https://my.onetrust.com/s/article/UUID-69162cb7-c4a2-ac70-39a1-ca69c9340046?language=en_US#UUID-69162cb7-c4a2-ac70-39a1-ca69c9340046_section-idm45403310539216 function reloadOTBanner() { var otConsentSdk = document.getElementById("onetrust-consent-sdk"); if (otConsentSdk) { otConsentSdk.remove(); } if (window.OneTrust != null) { OneTrust.Init(); setTimeout(function() { OneTrust.LoadBanner(); var toggleDisplay = document.getElementsByClassName( "ot-sdk-show-settings" ); for (var i = 0; i < toggleDisplay.length; i++) { toggleDisplay[i].onclick = function(event) { event.stopImmediatePropagation(); window.OneTrust.ToggleInfoDisplay(); }; } }, 1000); } } function clearDup() { var sec = document.getElementById("ot-sdk-cookie-policy") var tally = []; for (var i = sec.length - 1; i >= 0; i--) { if (tally[sec[i].firstChild.innerText] === undefined) { tally[sec[i].firstChild.innerText] = 1; } else { //console.log(i,sec[i].firstChild.innerText); sec[i].remove(); //return true; } } //return false; } api.onAppEvent("page:changed", (data) => { if(data.currentRouteName == 'privacy') { reloadOTBanner(); clearDup(); } }) </script>
Notes
- If you look at the console of the browser, you might find that the
OptanonWrapper
function is missing from the file where you added your Cookie Consent or any related code but that’s not the case. Discourse doesn’t strip the code block with theOptanonWrapper
function, rather it converts that block into its own file. You can try calling that function in the JS console of your browser to confirm that the function actually exists.
Last edited by @fzngagan 2024-11-05T07:09:51Z
Check document
Perform check on document: