search

sandstorm / Sandstorm.CookiePunch

Neos Package for content-first consent management built on top of klaro.js.
MIT License
5 stars 3 forks source link

Rich Snippets get killed #2

Closed mgrundkoetter closed 3 years ago

mgrundkoetter commented 3 years ago

The package also kills every rich snippet on the website. For instance things like:

<script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xyz.local\/"},{"@type":"ListItem","position":2,"name":"\u00dcber uns","item":"https:\/\/xyz.local\/de\/ueber-uns"}]}</script>

will become:

<script data-type="application/ld+json" type="text/plain" data-name="default">{"@context":"http:\/\/schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xyz.local\/"},{"@type":"ListItem","position":2,"name":"\u00dcber uns","item":"https:\/\/xyz.local\/de\/ueber-uns"}]}</script>

Which makes it unusable.

fheinze commented 3 years ago

Thanks for your feedback. Looks like you are the first one ;)

Yes the package kills EVERY script tag, also the inlined ones. This is intentional as these snippets might also set cookies directly. They can also add iframes or load third party JavaScript.

CookiePunch does not know which script tags might or might not be "harmful".

There are two ways to help with your issue:

  1. You can mark all of your tags to never be blocked. See STEP 3: Never block your own javascript

  2. You can switch the general mode of CookiePunch so it blocks nothing on default and explicitly target scripts you want to be blocked.

Sandstorm:
  CookiePunch:
    elements:
      # This will disable automatic blocking of every element.
      # You will have to define patterns to block elements explicitly.
      # By doing so you have a higher risk of things slipping through.
      block: false
      patterns:
        "https://www.youtube.com/embed/":
          type: iframe
          block: true
          group: media

For the next release I will try to improve docs and examples ;)

Cheers

mgrundkoetter commented 3 years ago

I added the process to my own rich snippet code, that worked:

@process.wrap = ${'<script type="application/ld+json">' + Json.stringify(value) + '</script>'}
@process.neverBlock = ${CookiePunch.neverBlockScripts(value)}

Nevertheless, the NEOS core generated snippets (like the breadcrumb example from above) still gets destroyed. Inverting the default behavior of the package is not suitable in my opinion, as this kind of destroys the whole purpose of it somehow. So maybe you can have a look into this as kind of bug report/feature request. I guess all script tags with type="application/ld+json" should be untouched by default.

fheinze commented 3 years ago

Yes, makes sense for type="application/ld+json Will have a look into this