Buffer output in variable to add filter for shortcodes

[udotelaar]

Hi there!

In Germany we are not allowed to drop cookies from third parties like Instagram on our visitors browsers without having their permission. So there is a cookie managing plugin (Borlabs Cookie) which allows visitors to optin. Code like your instagram widget can be surrounded by shortcodes and everything in between this shortcodes will not be executed until the user give his permission. Is it possible to buffer your output in a variable like I did in my pull request to apply a filter on it? If you echo it directly its not possible to put it in between the shortcodes. With this filter its no problem.

The wpiw_before_widget and wpiw_after_widget actions do not solve the problem because the shortcodes have to be executed in one string to filter away the code in between. This filter does the job:

function add_borlabs_to_instagram_widget($output) { return do_shortcode('[borlabs-cookie id="instagram" type="cookie"]' . $output . '[/borlabs-cookie]'); }

Thanks, Udo

[scottsweb]

Thanks for the PR, I have no problem with what is being suggested here but I do want to check one thing:

In Germany we are not allowed to drop cookies from third parties like Instagram on our visitors browsers without having their permission.

There should be no cookies from third parties sent to the visitors browser. The request for the images is made between your host servers and Instagram. As far as I know, Instagram does not send any other data along with the image URLs (no cookies are sent, I just tested it). With that in mind I wonder if this is actually needed.

[udotelaar]

Hi!

You are right, I did not explain it correctly. There is no cookie from instagram but it connects to their servers so personal data (at least IP address) is given to instagram without asking the visitor for permission. In Germany we put all these permissions together in one "cookie"-banner and thats why I said cookie. So I need this filter to block the script until the visitor opts in.

[feastdesignco]

Ideally, the instagram images would be fetched by the server and cached server-side, and served to the visitor from the server. This avoids the leaking of visitor data to instagram entirely, reduces the number of requests to instagram's APIs, and allows for faster serving of images.

https://github.com/scottsweb/wp-instagram-widget/issues/90

[scottsweb]

so personal data (at least IP address) is given to instagram without asking the visitor for permission

That is correct, I would expect it to be IP address but nothing more.

I am curious as to how the Internet continues to function in Germany. If you are not allowed to make a request to a server that will potentially log an IP address, how does someone visit your site if they have not yet agreed to allow the request to be served by your server? I am guessing the time the borlabs plugin has run, your server has already logged multiple requests which would be too late. Perhaps I am reading too much into it :D

[udotelaar]

Don´t blame me :) The law is getting crazier every week here. Its allowed to log the ip on your own server and do other things if you inform the visitor in your privacy statement and if it is neccesary for running the website. Integrating images from Instagram, Like-Button from facebook, maps from Google and so on is not neccesary so its not allowed without permission of the user.

[florianbepunkt]

To chime in: IP address is indeed considered personal data under the terms of GDPR. Therefore I encourage the approach suggested by @udotelaar. We are working on one of our sites, also using Borlabs Cookie as a sort of centralised consent management system. It is possible to run a site with no external requests until given user permission to do so.

Exception to this would be essential necessary use of data, as stated by Udo, for which GDPR provides its own rules. As far as I know this is European law so it basically applies not only to Germany.

[scottsweb]

Thanks for your contribution.

This project is being archived (background in #118). Instagram filed a trademark complaint which saw the plugin removed from WordPress.org and then proceeded to block it from accessing instagram.com. All pull requests are being closed and it will soon be in a read only state.