Provide a way for scripts to know whether there's a CMP on the page

[bretg]

Description

Prebid provides two ways for AMP publishers to initiate a usersync:

• load-cookie.html
• load-cookie-with-consent.html

The reason the 'with-consent' version exists is that the code can't tell whether there's a Consent Management Platform (CMP) in the page. The design, as we understand it, is that the code has to listen on a message bus, so it can't tell whether (A) there's no CMP or (B) the CMP is slow or (C) the user hasn't submitted their values yet.

Since the code can't tell, Prebid pushes the responsibility on the publisher to use the special "with-consent" version of the file when appropriate. We would rather have just one version of the file to make things simpler for publishers.

If there was a way for code to know whether listening on the message bus for a certain of time made sense (because there's a CMP on the page), we could deprecate the "with-cookie" version of this sync script.

In regular web pages, code can just sniff for the existence of the IAB-defined functions tcf() and gpp(). We would like something like this for AMP, or alternately, a guarantee that listening on the bus will get an answer quickly even if no CMP is on the page.

Alternatives Considered

Any solution that allows scripts to quickly know whether there's a CMP in the page to wait for would be fine. We don't have an opinion about the implementation specifics.

Additional Context

No response

[powerivq]

I would propose to add attributes here https://amp.dev/documentation/components/amp-iframe to indicate that no consent management platforms are present. WDYT? @bretg

[bretg]

@powerivq - are you suggesting that the publisher manually add an attribute defined by convention, or that the existence of a CMP would cause a standard attribute to be defined?

[powerivq]

@bretg Sorry that link was not clear. I meant a new attribute in the send-consent-data message sent back

[dgirardi]

The need is to tell in advance whether send-consent-data will get a reply. I don't know if there's documentation I didn't find, but from what I can tell there's no guarantee that it will (the parent may not be using amp-consent at all), or even when it does, we don't know if it will reply at some point in the future ("The consent-data response may be delayed based on the selected policy").

[powerivq]

@dgirardi I meant to add an attribute to indicate that there are no CMPs on the page. That would imply that the message will be sent back without delay, otherwise it would be meaningless. Does that solve your question?

[dgirardi]

Yes, as long as I can expect a reply regardless of whether the parent did anything relating to consent (that is, it does not depend on the page setting up amp-consent).

[powerivq]

@bretg @dgirardi I just tested. I find that when you send a send-consent-data message, AMP will return immediately if no amp-consent is present with the following message:

{
  "sentinel": "amp",
  "type": "consent-data",
  "consentMetadata": null,
  "consentString": null,
  "consentPolicyState": null,
  "consentPolicySharedData": null
}

Please indicate if this is sufficient. If so, there will be no actions needed.

[dgirardi]

@powerivq that reply would be sufficient, but I can't get it from my testing. An example of an AMP page where my send-consent-data gets no reply is: https://www.comedy.co.uk/tv/news/7769/gavin-and-stacey-return-denied/

I also get no reply if I try to set up a minimal amp-consent page following the docs (but without setting up a CMP account, just copying the mock credentials in it):

example

```

Privacy Settings

AMP-RTC RP Test

---

More content

The cookie sync iframe can't be within 600px from the top. ```

what am I doing wrong?

[dgirardi]

I am realizing now that my testing method is likely the problem - I am using browser extensions to modify the contents of the iframe src; that does not preserve the origin, so my messages are probably failing some check and discarded. We can close this, I'll change my workflow and come back if I still have problems.

[powerivq]

@dgirardi Yes, AMP runtime does have origin check when sending/receiving messages. Glad it was figured out.

@bretg when you have time, maybe you can take a look at this. If it works for you, I will close this issue.

[bretg]

If @dgirardi 's happy, I'm happy.