Feature: Add option for Cookie-Consent-Mode

[peter-neumann-dev]

To use hCaptcha GDPR-compliant, we need to load the API Script after the user consents in a cookie manager. Therefore, we need to have the possibility to add the script with data-src instead of src and additional data-Attributes.

It could be possible that it depends on the Cookie-Consent-Tool that is used in the project. In our case, it is kiprotect/klaro

For now, I will have a look to adjust the Template or ViewHelper in our case.

[waldhacker1]

Hello Peter, thanks for your feature request. A spammer will probably not give the user consent to enable spam protection, but send the form directly without the spam protection. In this case, it is probably better to hide the entire form and replace it with a mailto link or something similar, similar to what we do with external video content if the user does not give consent to load it. Showing and hiding the form, depending on the user's consent, should be better implemented in the consent tool than in this extension. I will write a few words about it in the documentation.

[peter-neumann-dev]

Thanks for your answer. Of course, a spambot will not consent. It's more a problem with the third-party API script that I loaded without consent of the real user.

I was unable to try it out, but our plan is:

• Hide the whole form with CSS with a banner to ask for consent to use and load hCaptcha
• Use our cookie consent manager to load the script manually after consent and then show the form afterwards

What I am not sure about is that if the form is hidden and the iFrame from hCaptcha is not loaded, if it is possible to submit the form successfully in the background because a bot will still be able to fill and submit the hidden form.

[agriaIT]

Hello @waldhacker1, I have the same problem as @peter-neumann-dev described to use it GDPR-compliant. I use Usercentrics as cookie manager. Here I need to change the standard header from <script src="https://js.hcaptcha.com/1/api.js"></script> into <script type="text/plain" data-usercentrics="hCaptcha" src="https://js.hcaptcha.com/1/api.js"></script> to get it work correctly.

[peter-neumann-dev]

I solved it by overriding the Hcaptcha partial and adding the script there by replacing the <hcaptcha:forms.hcaptcha />

To access the src I created a TypoScript libs:

# Create lib objects to access in form field partial
lib.hCaptchaApiScript = TEXT
lib.hCaptchaApiScript.value = {$plugin.tx_hcaptcha.settings.apiScript}
lib.hCaptchaPublicKey = TEXT
lib.hCaptchaPublicKey.value = {$plugin.tx_hcaptcha.settings.publicKey}

And then adding to the form partial:

<div class="h-captcha" data-sitekey="{f:cObject(typoscriptObjectPath: 'lib.hCaptchaPublicKey')}"></div>

<script data-name="hcaptcha" data-src="{f:cObject(typoscriptObjectPath: 'lib.hCaptchaApiScript')}?hl=de" type="text"></script>

[agriaIT]

I found another way. I modified the HcaptchaViewHelper.php like this: $this->assetCollector->addJavaScript( 'hcaptcha', $this->configurationService->getApiScript(), ['async' => '', 'defer' => '', 'data-usercentrics' => 'hCaptcha', 'type' => 'text/plain'] ); and added a simple text "Please activate cookies for hCaptcha." element into Hcaptcha.html below form partial formvh:renderRenderable. The only problem currently is, that the text is also shown, even the hCaptcha is loaded or blocked. So I need a possibility to hide the text if the rendering of hCaptacha is working correctly.