mozilla / cookie-banner-rules-list Goto Github PK

https://www.icann.org/

There are some more StackExchange sites we can add rules for:

• superuser.com
• stackoverflow.co

Example: https://www.researchgate.net/publication/51853552_The_Severe_Sexual_Sadism_Scale_Cross-Validation_and_Scale_Properties

It fails and we don't really need it other than for pushes. E.g. see #6
@ahoneiser do you agree, or is there a reason why we need it to run for PRs too?

Cookie banner is displayed: https://azure.microsoft.com/fr-fr/

Azure is a subdomain, we do not currently support Subdomains

via mozilla/Foxfooding_Cookie_Banner_Handling#5

Firefox Version: Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Window Size (inner width and height): 1280x955
GitHub Username: @jnv

Steps to Reproduce

1. Visit https://www.politico.com/

Expected Behavior

I shouldn't see a cookie prompt

Actual Behavior

I see "We Care About Your Privacy" pop-over (more than one actually

Attachment

Link to the original attachment

Our linting code needs to be updated to take into account the new domains field.

https://yugioh.com/

via mozilla/Foxfooding_Cookie_Banner_Handling#3

Firefox Version: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Window Size (inner width and height): 1868x1088
GitHub Username: @127001

Steps to Reproduce

Open https://skype.com

Expected Behavior

The top cookie banner to be denied.

Actual Behavior

Cookiebanner remains visible.

Attachment

Link to the original attachment

https://www.wilderssecurity.com/

Environment:

• MacOS
• Nightly 108
• cookiebanners.service.mode set to 2
• cookiebanners.service.mode.privateBrowsing set to 2

STR

• Browse to yahoo.com
• Observe the blurred UI without a cookie banner for 2 seconds
• The cookie banner appears

Example: https://www.ericom.com/whatis/layered-security/

Example: https://stackoverflow.com/questions/27038732/css-fade-in-out-blinking

cookiebanners.service.mode is 1

The flickr rule hides the cookie banner element (.truste_box_overlay_inner), but not the translucent dark overlay that sits beneath the cookie banner (.truste_overlay), so that the site looks odd.

With banner auto-hidden:

Correct appearance, with div.truste_overlay hidden as well as div.truste_box_overlay_inner:

Note that the DOM structure requires us to hide two sibling elements whose parent element is the body el:

<body>
  ... lots of stuff ...
  <div class="truste_overlay"></div>
  <div class="truste_box_overlay">
    <div class="truste_box_overlay_inner">

I wonder if it might make sense to target the truste_box_overlay instead of truste_box_overlay_inner.

https://internxt.com/

Example page: https://arcticrisk.org/name-generator/

via mozilla/Foxfooding_Cookie_Banner_Handling#4

Firefox Version: Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Window Size (inner width and height): 1280x955
GitHub Username: @jnv

Steps to Reproduce

1. Visited google-analytics.com
2. I am redirected to https://marketingplatform.google.com/about/analytics/

Expected Behavior

I shouldn't see a cookie promp or announcement on the site.

Actual Behavior

I see a stripe "This site uses cookies from Google to deliver its services and to analyze traffic." on bottom of the site

Attachment

Link to the original attachment

via mozilla/Foxfooding_Cookie_Banner_Handling#9

Firefox Version: Firefox Nightly 108.0a1
Window Size (inner width and height): 1300x1050

Steps to Reproduce

1. Went to https://DHL.com as per list for foxfooding
2. DHL.com redirect to DHL.com/se-sv/...
3. Asks for permissions for cookies

Expected Behavior

Autorejected cookie notice.

Actual Behavior

Cookie notice not automatically rejected.

Attachment

Link to the original attachment

This requires updating the sync script to fetch the list from a remote URL instead of bundling it in the Docker image. It will remove the need re-deploy the script for rule list changes, which is currently a manual process.

We can use https://github.com/PyGithub/PyGithub in the script to get info about the latest release and get the rules list file associated with the release.

Example: https://web.dev/preload-critical-assets/

When I disable banner clicking by setting cookiebanners.bannerClicking.enabled to false and visit https://n-tv.de the cookie banner still shows up. This is probably because the cookie we set is dynamically generated and not replayable. We can rely solely on the clicking instead.

This cookie might not replayable generally. We should check all cases where we inject cookies with the key euconsent-v2.

#6 adds validation and code reformatting. We can use these scripts in a GitHub Action to ensure list change PRs are valid.

https://sportowefakty.wp.pl/ [non-english site]

Ex: https://twit.tv/shows/security-now/episodes/898

Need to hit "Hide"

Cookie banner is displayed https://www.lyreco.com/

https://speedof.me/

top of page

example: https://www.benq.com/en-us/monitor/home/ew3270u.html

For more details see:
mozilla-mobile/fenix#27719 (comment)
https://bugzilla.mozilla.org/show_bug.cgi?id=1803117#c2

Mozilla cookie banner on https://connect.mozilla.org/

Connect is a subdomain, we do not currently support Subdomains

For https://bugzilla.mozilla.org/show_bug.cgi?id=1801074 we're landing a change which will make the clicking code only run in the top level frame by default. That means we need to update the rules that rely on running in iframes. We need to add a "runContext": "child" entry to the click object.

via mozilla/Foxfooding_Cookie_Banner_Handling#7

Firefox Version: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Window Size (inner width and height): 1577x1160
GitHub Username: @gahisee

Steps to Reproduce

Simply browse to: http://www.vox.com/

Expected Behavior

Load the main page!

Actual Behavior

Not always but randomly, entire FF, not just the tab, locks up for up to 30 seconds.
I have reported this same issue with FF v106 as well.

Note: Button says "Fine" instead of accept

https://ask.fedoraproject.org/

Example: https://spectrum.ieee.org/peer-to-peer-network

Example: https://developer.chrome.com/docs/web-platform/webgpu/

blackopsaviation.com

via mozilla/Foxfooding_Cookie_Banner_Handling#10

Firefox Version: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Window Size (inner width and height): 1280x955
GitHub Username: @hokonch

Steps to Reproduce

1. cookiebanners.service.mode set to 2
2. Access https://businessinsider.com.pl/

Expected Behavior

Scrollable

Actual Behavior

Unscrollable

Attachment

Link to the original attachment

Example: https://the-line-up.com/david-parker-ray-disturbing-pieces-of-audio-that-you-wont-be-able-to-unhear

Slight flash of cookie modal before it is closed

Example: https://global.wf.com/hub_blog/year-dine-thanksgiving/

but I don't see a notice at https://wf.com

Currently we have both the sync script and the cookie banner rules list in the same repo. We don't expect to update the script very often, but the list will be updated frequently. There is no need to re-deploy the script whenever the list changes.

This will fix #8 too.

Banner is animated in and out: digicert.com

Cosmetic issue with the click rule

Banner still shows up:

via mozilla/Foxfooding_Cookie_Banner_Handling#2

Firefox Version: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Window Size (inner width and height): 1920x947
GitHub Username: @pedroldk

Steps to Reproduce

Go to https://cnn.com

Expected Behavior

The page should not reload.

Actual Behavior

Went to cnn.com and although the site didn't show the cookie banner as expected, the page reloaded. This behaviour might break redirects or pop-ups on some websit

Currently the entire rule list is in one big JSON file. Moving rules to individual files would make reviewing and handling rules easier.
This would require updating our sync-script and our validation CI.

Cookie banner is displayed: microsoft.com

https://winaero.com/

I was poking at the schema validation and we might be able to make it a bit more strict.
I broke your ./cookie-banner-rules-list.json file by adding typos to almost every field (except domain and id, both of which seem to be required).

    {
      "clik": {
        "otIn": "button.btn-accept",
        "ptOut": "button.btn-reject",
        "resence": "div#cookie-disclosure"
      },
      "domain": "netflix.com",
      "schem": 1661164945628,
      "cookes": {},
      "id": "6037802d-9a37-4df2-bf35-9ad60c478725",
      "last_moified": 1661164976796
    },

The validator seems to say that the file is still valid, and presumably all the typo fields are ignored.

I was able to get some errors throwing if I copy the schema locally, and add additionalProperties: false to the schema:

  "properties": {
    "data": {
      "type": "array",
      "items": 
      {
        "type": "object",
        "additionalProperties": false,
        "title": "Cookie Banner Rule",

… but now it seems to complain about unknown schema and last_modified properties. Quick fix:

          "schema": {
            "type": "number"
          },
          "last_modified": {
            "type": "number"
          },

Behold:

npm run validate

> [email protected] validate
> node test/validateRules.js

Rule list validation error [
  {
    instancePath: '/data/35',
    schemaPath: '#/properties/data/items/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'clik' },
    message: 'must NOT have additional properties'
  }
]

And we can slightly tweak that to return ALL errors, versus bailing on the first error by adding allErrors: true to our config:

const ajv = new Ajv({ loadSchema, allErrors: true });

And now it should report all-ish errors:

npm run validate

> [email protected] validate
> node test/validateRules.js

Rule list validation error [
  {
    instancePath: '/data/35',
    schemaPath: '#/properties/data/items/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'clik' },
    message: 'must NOT have additional properties'
  },
  {
    instancePath: '/data/35',
    schemaPath: '#/properties/data/items/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'schem' },
    message: 'must NOT have additional properties'
  },
  {
    instancePath: '/data/35',
    schemaPath: '#/properties/data/items/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'cookes' },
    message: 'must NOT have additional properties'
  },
  {
    instancePath: '/data/35',
    schemaPath: '#/properties/data/items/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'last_moified' },
    message: 'must NOT have additional properties'
  }
]

Still probably room for more improvements w/ nested properties. But I think it's probably worth adjusting our schema to be a bit stricter to catch typos.