SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

It's time for some additional documentation covering some confusing configuration aspects now that the CSP plugin has been out for a while and a few users have had an opportunity to put it to the test.

An Extra Protocol Type

I'm calling these types Protocol Types, because the documentation doesn't give them a specific name. Two of them are used and described in the CSP specification and will look familiar: http: and https: specifically. There is, however, another type.

You will occasionally see a Blocked URI that is not a URI at all. It is simply labeled "data". This data type refers to content that is held within the attributes of an element such as an image which contains base64 encoded data instead of an image URL.

To handle/allow these data types, just enter them as if they were a protocol. "data:" (without the quotes)

Content - YouTube (No Cookies)

Overview

Content - YouTube (No Cookies) is a YouTube embed plugin, utilizing the cookie-less domain offered by YouTube. This plugin implements ALL available features of YouTube iframe embeds.

This plugin uses {ytnc} tags to identify videos to embed. It can be optionally configured to detect links to YouTube videos, but this is not as easy to use as the display configuration options must be included in the URL. This plugin is also capable of embedding using a process called Lazy Loading, where the video thumbnail and a play button is displayed, and when clicked - the video is loaded. This greatly reduces page load times, but requires users to click twice to play a video.

Installation

  1. Download Content - YouTube (No Cookies) from the RicheyWeb download page.
    • This page will remain unlinked, as the link may change in the future. Visit http://www.richeyweb.com and use the search feature - search for "Content - YouTube (No Cookies)".
  2. In Joomla /administrator, go to the "Extensions" menu, the "Manage" sub-menu, and the "Install" sub-menu.
  3. Select the "Upload Package File" tab
  4. Press the "Choose File" button to browse your system and locate the plugin file you downloaded
  5. Press the "Upload & Install" button

At this point, the extension is installed but not enabled. You can find the plugin by going to the Extensions menu and selecting "Plugins". When in the plugin manager, search for "Content - YouTube (No Cookies)".

Configuration

Defaults

The Defaults tab holds 21 configurations that control the video iframe. Each item has a mouseover tooltip that gives a brief description of the function of that item, and the label is a link to the YouTube documentation for the item. Many items depend on each other, and enabling one item may prevent another from operating as expected.

When set to something other than the plugin default, these items alter the way ALL embeds behave on the site. A sort of global default setting. If you choose "autoplay" = Yes here, then all videos will autoplay unless overridden.

Advanced

The advanced tab allows you to enable additional functionality. The plugin CAN process all identified YouTube URLs, turning them into embeds.

Convert URLs

The following URL schemes are supported:

  • https://www.youtube.com/watch?v=abcdefg&21queryvars
  • https://youtube.com/watch?v=abcdefg&21queryvars
  • youtube.com/watch?v=abcdefg&21queryvars
  • https://www.youtube-nocookie.com/watch?v=abcdefg&21queryvars
  • https://youtu.be/abcdefg?21queryvars

Because of the number of possible query vars, I indicated their presence with "21queryvars"

LazyLoad

Lazy loading is a process where a placeholder image is used instead of the video. When the placeholder, is clicked - the video is loaded. This feature is very reliable, and greatly reduces page load times, especially with multiple videos.

LazyLoad Thumbnail

Choose the thumbnail quality to use for your lazyloaded videos. The availability of backgrounds depends on the quality of the video uploaded. default.jpg will always be available, but will also always look terrible. A good default is sddefault.jpg - and when you find a video that is missing that thumbnail, override it using the { ytnc} tag attribute lazyload_thumbnail="1.jpg" (or whatever background you find that works for you).

Overriding Defaults

The parameter hierarchy is this:

Defaults < URL query vars < ytnc tag attributes

For example, If your default autoplay value is Yes (1), and your video URL contains "autoplay=0", then the URL has overridden the default value and the embedded video will not play automatically.

Same scenario as above, but the URL is wrapped with { ytnc autoplay="1"}...{/ytnc}. The default is overridden by the URL, but the URL is overridden by the tag. The video will auto play.

HELP

Please post your questions in the forum, so other users can benefit from the troubleshooting steps used to resolve your problem.

To illustrate the difference between the EU e-Privacy Directive extension (2 plugins, 1 module), I've created a table listing the capabilities of each.

Testing methods are as follows:

Allows Cookies:

Load the demo URL in Chrome, view the Application Storage Cookies area in Developer Tools (F12). If any cookies are listed, the extension fails.

Javascript Cookies:

In Chrome, open the Developer Tools (F12) and use the console to execute the following command - document.cookie = "username=John Doe";

If executing the command "document.cookie" produces "username=John Doe", the extension fails.

An example of a passing test -

A passing example

3rd Party Cookies:

In Chrome, open the Developer Tools (F12) and view the Application Storage Cookies area. If any cookies exist from an external domain (not the domain of the website you're viewing), the extension fails. Additionally, if other domains are listed (indicating frames), and those other domains have cookies - the extension fails.

An example of a failing test -

Screenshot_from_20180323_142221.png

Other Storage Methods

EU lawmakers didn't just target cookies. The law covers other storage methods that act like cookies. This includes LocalStorage, Session storage, IndexedDB, WebSQL and even Flash Cookies. Although this article was written for e-Privacy, it's important to note that GDPR expands on e-Privacy.

http://dreamdealer.nl/articles/localstorage_vs_cookies_vs_the_law.html

Testing method:

In the Javascript console, execute the commands "localStorage.setItem('myCat', 'Tom'); sessionStorage.setItem('myCat', 'Tom');"

If disabled, "localStorage.getItem('myCat');" and "sessionStorage.getItem('myCat');" will have no result.

GDPR Compliance

If the extension allows any cookie without consent, it is not GDPR compliant. There are situations where some cookies are allowed without consent, but the vast majority of cookies do not meet the criteria.

Consent Model

There are 5 models of consent. Each exposes a site owner to varying levels of risk (Explicit Consent being the lowest risk, Information Only being the highest risk). Of the 5 models, 1 is compatible with GDPR, and that is Explicit Consent.

CookieLaw.org has an excellent writeup about the 5 models and the risk/benefit of each: https://www.cookielaw.org/media/105101/five-models-for-cookie-law-consent.pdf

Comparison

Using the tests above, the following comparison emerges. As you can see, the results are conclusive. No other cookie extension makes even an attempt to comply with the law - they have all opted to use the easy way out provided by the bureaucrats, Information Only (Often confused with implied consent).

The extensions are listed in order of popularity in the Joomla Extension Directory as of 3/23/2018.

Extension Review Date Demo Link Prevents HTTP Cookies Prevents Javascript Cookies Granular 3rd Party Cookie Control Prevents Local/Session Storage Usage GDPR Compliant Consent Model Free/Paid
EU e-Privacy Directive 2018-03-23 Explicit Consent Free
Folcomedia - Cookies Alert 2018-03-23 Information Only Free
Cookies Policy Notification Bar 2018-03-23 Information Only Paid
Responsive EU Cookie Notify 2018-03-23 Information Only Paid
Easy Cookie Alert 2018-03-23 Information Only Paid
JS Cookie Alert 2018-03-23 Information Only Paid
EU-Cookies 2018-03-23 Information Only Paid
Cookies Pro 2018-03-23 [1] Information Only Free
Cookie Notice 2018-03-23 Information Only Paid
iWt Cookie Alarm 2018-03-23 Information Only Paid
Responsive EU Cookie Alert 2018-03-23 Information Only Paid
Cookie Alert 2018-03-23 Information Only Paid
EU Cookie Directive Lite 2018-03-23 Information Only Free
Cookie Accept[2] 2018-03-23 N/A Information Only Free
EU Cookie Directive Pro 2018-03-23 Information Only Free
CookieHint 2018-03-23 Information Only Free
Simple Content Disclaimer 2018-03-23 Information Only Free
Esoftcookies[3] 2018-03-23 Information Only Free
EU Countries Cookie Alert Pro 2018-03-23 Information Only Paid
sketch.cookies 2018-03-23 Information Only Free
EasyCookieInfo 2018-03-23 [4] Information Only Free
AddCookieLaw[5] 2018-03-23 N/A Information Only Free
PixCookiesRestrict[6] 2018-03-23 Information Only Paid
Gogodigital Cookie Consent[7] 2018-03-23 N/A Information Only Free
yourData[8] 2018-03-23 N/A Information Only Free
DJ-CookieMonster[9] 2018-03-23 N/A Unknown Paid
redCOOKIE[9] 2018-03-23 N/A Unknown Paid
Moonchip Cookie Bar 2018-03-23 Information Only Paid
Cookie Notifications Builder[10] 2018-03-23 Information Only Paid
MK EU Cookie 2018-03-23 Information Only Paid
JK Cookie Alert Message Notice[11] 2018-03-23 Information Only Paid
jDisclaimer 2018-03-23 Information Only Free
A4 Infociacho 2018-03-23 Information Only Free
Wscookies[12] 2018-03-23 Information Only Paid
Dle Dismiss Cookie Bar[13] 2018-03-23 Information Only Paid
Rapi Cookie Alert[14] 2018-03-23 Information Only Free
GDPR[15] 2018-04-15 Information Only Paid
Dismiss Cookie Bar II 2018-04-15 Information Only Paid
Ruxin Cookie Alert 2018-04-22 Information Only Paid
Cookie Notice[16] 2018-04-23 Information Only Paid
Simple Content Disclaimer[16] 2018-04-23 Information Only Free
JK Cookie Alert Message Notice[16] 2018-04-23 Information Only Paid
Wscookies[16] 2018-04-23 Information Only Paid
Shack Toolbox (in cookie policy mode) 2018-05-24 Information Only Paid
eorisis Cookie Bar 2018-05-27 Information Only Paid
Kick GDPR[2] 2018-05-27 N/A Information Only Free
Civic Cookie Control[17] 2018-06-10 [18] Information Only Free
GDPR Compliance 2018-06-10 Information Only Paid
  1. Unable to determine this result from the demo, however - it failed the other tests, so this is likely also a failure
  2. No demo is available. The PHP was reviewed to obtain the results.
  3. Beware of this demo - the page refreshes constantly
  4. Unable to determine this result from the demo, however - it failed the other tests, so this is likely also a failure
  5. The developers website is down, so you can't even get this extension
  6. This extension does weird stuff - it sets cookies and then doesn't quite delete them with JavaScript, which still fails the test (and is against the law prior to acceptance)
  7. No demo is available. The PHP was reviewed to obtain the results.
  8. Developer removed the demo, and the ability to download the module.
  9. No demo available, no source to review
  10. If you decline, you still get cookies
  11. Nothing is displayed in the demo, no source to review
  12. The accept bar auto-hides without selecting anything. If you decline, you still get cookies.
  13. The accept bar auto-hides without selecting anything.
  14. The demo isn't a demo, but the link actually works so I included it. The PHP was reviewed to obtain the results.
  15. This extension claims to detect the visitors location and block cookies - so I tested it from a system I have in London, and the page response included a cookie. Also, GDPR requires users consent before tracking cookies, but this extension only offers two ways to consent and no way to decline or withdraw consent.
  16. This extension hides from competition in another JED category.
  17. The demo isn't even a Joomla site!
  18. Doesn't prevent cookie-loading resources from loading cookies, it deletes them via javascript after they've been set - but only if it's in the current domain. Otherwise, it removes the object that carries the cookie. This is a bad solution, as the resource that carries the cookie has already transmitted tracking data by the time the script has removed it from the page. I would liken this to cleaning up a crime scene. This is not defensible in court.

Some of these demos are just terrible. They expect you to just believe what they tell you and not look behind the curtain. Here's an example:

Screenshot_from_20180328_110421_250x121.png

A tremendous amount of time, effort and scrutiny has gone into the creation of the EU e-Privacy Directive extension for one reason - to protect you from your governments.

System - Google Analytics (No Cookies)

Overview

Installation

  1. Download System - Google Analytics (No Cookies) from the RicheyWeb download page.
    • This page will remain unlinked, as the link may change in the future. Visit http://www.richeyweb.com and use the search feature - search for "System - Google Analytics (No Cookies)".
  2. In Joomla /administrator, go to the "Extensions" menu, the "Manage" sub-menu, and the "Install" sub-menu.
  3. Select the "Upload Package File" tab
  4. Press the "Choose File" button to browse your system and locate the plugin file you downloaded
  5. Press the "Upload & Install" button

At this point, the extension is installed but not enabled. You can find the plugin by going to the Extensions menu and selecting "Plugins". When in the plugin manager, search for "System - Google Analytics (No Cookies)".

Configuration

The only mandatory configuration (other than enabling the plugin) is the Tracking ID. Without it, the Javascript will fail to load.

Please refer to the Analytics documentation for a description of the optional configurations:

https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference

Optional configurations:

  • Debug
  • Log Tracker Activity
  • anonymizeIp
  • Track Outbound Links
  • sampleRate
  • siteSpeedSampleRate
  • alwaysSendReferrer
  • allowAnchor
  • transport
  • userId

Per Menu Item configurations:

  • Disable
  • Debug
  • Log Tracker Activity
  • anonymizeIp
  • Track Outbound Links

HELP

No help requests have been made. If you find an issue, please submit a ticket or post to the forum.

EXTENSIONNAME

Overview

Installation

  1. Download EXTENSIONNAME from the RicheyWeb download page.
    • This page will remain unlinked, as the link may change in the future. Visit http://www.richeyweb.com and use the search feature - search for "EXTENSIONNAME".
  2. In Joomla /administrator, go to the "Extensions" menu, the "Manage" sub-menu, and the "Install" sub-menu.
  3. Select the "Upload Package File" tab
  4. Press the "Choose File" button to browse your system and locate the plugin file you downloaded
  5. Press the "Upload & Install" button

At this point, the extension is installed but not enabled. You can find the plugin by going to the Extensions menu and selecting "Plugins". When in the plugin manager, search for "EXTENSIONNAME".

Configuration

HELP