search

ns-dokuzentrum-muenchen / departure-neuaubing-frontend

Vue.js SPA for the Departure Neuaubing project
https://dn.nsdoku.de
MIT License
2 stars 0 forks source link

aka_debug Akamai Cookie #106

Closed xcvy closed 2 years ago

xcvy commented 2 years ago

We only need a consent banner if there are cookies set.

Can you figure out why the „do not track“ / cookie-less Vimeo sets a Akamai cookie?

IP addresses only need to go into the privacy section.

Bildschirmfoto 2022-01-21 um 11 30 15
xcvy commented 2 years ago

My unqualified search: https://stackoverflow.com/questions/44837450/recommended-method-to-prevent-any-content-inside-iframe-from-setting-cookies

n-kort commented 2 years ago

@xcvy can't work out a way to prevent this unfortunately. Only references to it that I can find online are in other Cookie policies, where it is 'essential' for video playback.

iframe doesn't help in this case since their all in video tags

n-kort commented 2 years ago

@xcvy I tested this in a sandboxed iframe and the video doesn't play at all.

xcvy commented 2 years ago

ok, I guess we then need a pop up that enables or disables video at the start?

xcvy commented 2 years ago

You used the do not track url, correct? Because we should then not get a statistic in Vimeo but we currently do. Is that just Vimeo disregarding dnt?

xcvy commented 2 years ago
Bildschirmfoto 2022-01-21 um 15 55 37
xcvy commented 2 years ago

Vimeo still claims that DNT disables the cookie – is it possible that the plyr or something else interferes with that dnt url?

https://vimeo.zendesk.com/hc/en-us/articles/360001494447-Player-parameters-overview

n-kort commented 2 years ago

@xcvy since we're not using the Vimeo player (or SDK) this doesn't apply. I've tried appending dnt=1 to the URLs that we are using (in the video <source>) but it doesn't change anything.

xcvy commented 2 years ago

Here is a link to the do not track version of the link: https://departure-neuaubing.nsdoku.de/pages/vimeo-test Here is the same link with the regular embed: https://departure-neuaubing.nsdoku.de/pages/vimeo-test-with-cookie

If I delete the cookies first it will show it but load them when I play the video in the Vimeo player. Can you reproduce this?

xcvy commented 2 years ago

They seem to be able to load from Vimeo without cookies: https://forensic-architecture.org/investigation/hanau-the-arena-bar

I think they do it by loading directly the MP4 but not via the Akamai link: https://player.vimeo.com/external/657458962.hd.mp4?s=d91d912e68e63e21eb9a89687071ee9e5607e1a5&profile_id=174&oauth_token_id=1118414987

n-kort commented 2 years ago

@xcvy that's what we're doing too actually. That gets redirected to some vod-progressive.akamaized.net/*** url, which then does try to set a cookie. This doesn't show up in Firefox for some reason, but looking in the Chrome network panel suggests this might be because they are blocked... since it does not specify a SameSite attribute.