search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.9k stars 2.65k forks source link

Optout function in an iframe on iOS/MacOS no longer works #16648

Closed PeteTrombone closed 9 months ago

PeteTrombone commented 4 years ago

The optout function in an iframe no longer works on iOS / MacOS if the Matomo domain is different to the page domain. The following message is displayed: "The tracking opt-out feature requires cookies to be enabled." dbwas_mac

This is a big data protection problem in europe!

Findus23 commented 4 years ago

Hi,

That's the issue with blocking third-party-cookies (or more precisely from blocking iFrames in a website from setting a cookie on another domain). It is great for privacy (if every website was allowed to read and write cookies from tracking.example, people could be tracked easily between domains). But it also means that if you are tracking yourwebsite.example with matomo.example and are embedding the iFrame, you are stopping it from setting the opt-out cookie on matomo.example as this is also a third-party domain.

Now one solution is setting the opt-out cookie on the domain of the tracked website, but this is nothing the iFrame can do (as it only has access to the matomo.example domain) and is what is done when using this guide: https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form

But this also means that you can not opt-out of tracking on matomo.example for all sites that are tracked there, but just for the one you are currently one.

I don't really have a solution as any method that allows to store the user consent status/opt-in/opt-out also allows to store tracking data about this user and will be therefore (rightfully) limited by browsers and browser extensions.

If you (or anyone else) have an idea on what could be done here, it would be great.

tsteur commented 4 years ago

BTW if the privacy page includes the Matomo tracker and points to the same page Matomo tracker instance, then first party cookies will be used additionally to the third party. This was implemented in https://github.com/matomo-org/matomo/pull/15184

Meaning. If there's eg a tracker on the privacy policy page pointing to https://matomo.example.org/matomo.php and the opt out is also loaded from https://matomo.example.org/index.php?module=...&action=optout... then Matomo would try to set also a first party cookie for this site using a feature called postMessage.

Besides this there isn't anything else we can do I suppose except for a custom opt out form as mentioned in previous comment.

mattab commented 9 months ago

Thanks for contributing to this issue. As it has been a few months since the last activity and we believe this is likely not an issue anymore, (opt-out was changed since and doesn't use iframe anymore), then we will now close this. If that's not the case, please do feel free to either reopen this issue or open a new one. We will gladly take a look again!