search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Lack of GDPR Compliance Options in New WYSIWYG Editor #2769

Open escii opened 4 weeks ago

escii commented 4 weeks ago

Lack of GDPR Compliance Options in New WYSIWYG Editor

Description

We have tested the new FusionAuth 1.51 "Theming Toucan" release. First: The new "WYSIWYG Theming Editor" is realy nice, and we are very sure people will like to use it.

But it does not work for whole Europe regarding the mandatory GDPR regulations we have in place here.

It would require two additional fields as described below.

Custom Field in <header> Section:

There should be an option to add a custom field or custom code within the <header> section of the login page. This is essential for including necessary scripts tags related to GDPR.

Here is an example what people want to add. In this case we use the iUbenda service which is very common to cover GDPR. On their site you get two code snippets pregenerated which looks like the following

<script is:inline type="text/javascript" src="https://cs.iubenda.com/autoblocking/XXXXXX.js"></script>
<script is:inline type="text/javascript" src="//cdn.iubenda.com/cs/gpp/stub.js"></script>
<script is:inline type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

Custom Code at the <footer> Section:

Similarly, there is no provision to add custom code after the </form> section. This is crucial for integrating GDPR-related consent banners and other compliance mechanisms.

Example what people would like to add in this field:

<script type="text/javascript">
  (function (w, d) {
    var loader = function () {
      var s = d.createElement("script"),
        tag = d.getElementsByTagName("script")[0];
      s.src = "https://cdn.iubenda.com/iubenda.js";
      tag.parentNode.insertBefore(s, tag);
    };
    if (w.addEventListener) {
      w.addEventListener("load", loader, false);
    } else if (w.attachEvent) {
      w.attachEvent("onload", loader);
    } else {
      w.onload = loader;
    }
  })(window, document);
</script>

So it actually only need two empty text fields one in the <header> and one in the <footer> section to make it conform with europs GDPR regulations. All GDPR integrations I've seen so far would require those two fields.

Thanks for looking at this request it would be a great improvement for customers in europe.

Related

robotdan commented 3 weeks ago

Thanks @escii for the suggestion for letting us know about this limitation. This is great feedback.

To accomplish this use case at the moment you'll need to use the advanced theme. We are currently gathering feedback like this to improve upon our initial release of this simple(r) theme feature! We will definitely review this request and see how we can best support this in a future release.