In this epic we will define a general-purpose contract to enforce cookie user consent for cases where third party cookies are involved in DXP. This complements the efforts we made to cover first-party cookies (see https://liferay.atlassian.net/browse/LPS-151966)

By definition, DXP has no control over the way third party cookies are set. Nevertheless, pages served by a DXP installation might make use of third party cookies if third-party resources are fetched when page loads in the browser. Broadly speaking, two main scenarios may lead to third-party cookies usage:

• Portal developers add logic that retrieves content from third party sites/services. These may be part of ootb DXP integrations (e.g. youtube, google maps, analytics) as well as additional features added via third-party custom developments, including traditional, OSGi based modules and client extensions.

• Content creators publish content in the platform. This content may include snippets served by third-party sites or services that will be accessed when such content is rendered in the page.

To deal with these scenarios, we will provide a patform-level, generic mechanism implementing the contract, to regulate bits of content/scripts served by DXP, that interact with third-party sites.

Because of the nature of such pieces, contract design principles include:

• Declarative: platform needs to know which snippets make use of which type of cookies. This information has to be provided by the content creator/developer

• Coarse-grained: mechanism will either block/allow the entire content/code snippet subject to the consent. It’s not possible to block/allow a subset of an script

• Disabled-by-default: enforcement requires to serve the snippets in a disabled form, then enabled browser-side as long as the required consent is granted. Otherwise there is a risk of third party cookie to “escape” from the enforcement controls

This will allow users to register 3rd party cookies “usages” that DXP will block if consent is not granted. This includes tracking scripts that send data to third-party system.

Epic goals:

• Define the “contract” that content creators and DXP integration implementors need to fulfill in order to enforce user consent for third party cookies

• Implement it as and DXP API for content/scripts injection

• Document the usage and illustrate use cases for content editors and developers

• Provide coverage to main DXP use cases are covered. More specifically:

  • Mechanism will not interfere with content being edited in the current page. This way content creators can obey the contract in content publised in the platform. As FI owns the editor components, we will deal with this in the current epic

  • Other cases, such as pasting video links or usage of third party apis might be identified as part of this effort, however, these cases need conversations with other product teams, so they will be out of the scope of this epic.