WordPress.org

Ready to get started?Download WordPress

Forums

Cookie Control
Plugin breaches Guidelines (19 posts)

  1. mentalist3d
    Member
    Posted 2 years ago #

    This is not a dig at the author of the file, as they have stated elsewhere that they wrapped up the code provided by Civic UK to create the plugin and other than that do not have any connection with Civic UK.

    However since Civic UK list this plugin on their website, they need to help the author upgrade the plugin so it is fully compliant with the WordPress guidelines for plugin developers - http://wordpress.org/extend/plugins/about/guidelines/

    The guidelines that have been breached include:

    • The plugin must not embed external links on the public site (like a "powered by" link) without explicitly asking the user's permission. Any such options in the plugin must default to NOT show the link.

    Two links to the Civic UK site are contained on the front end of the site. While it is important to give credit it should be up to the site owner, how that credit is given (if any).

    I have personally stripped out the two links from appearing on the front end of the site, however Civic UK and Sherred have been added to my credits page with links to their sites/profiles, but that is my choice.

    • No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate. The GPL specifically states "The source code for a work means the preferred form of the work for making modifications to it." Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances. However, note that some systems, like Paypal donation buttons, use encoded code as part of their normal operating mechanism. This is not considered to be "obfuscated" as this is simply how these types of systems operate and it is not a choice by the plugin author. These types of things are acceptable, but may result in the author being questioned about it for edge cases. If a non-encoded method for such services is available, use it.

    This rule has been breached, which is my major concern with the plugin. If you check the plugin file: cookieControl-4.1.min.js, it is using base64 encoding, which is obfuscated code.

    I see no reason why this code should be obfuscated, and I find obfuscated code untrustworthy as it does not allow the site owner to have complete control over their site, as well as understanding how the code operates.

    Again, I'm not having a dig at the author, as they have publicly stated they have only wrapped up the code provided by Civic UK, and I think the author has done really good work in turning it into a plugin.

    However, it needs to be mentioned to Civic UK who are actively promoting the plugin, that they need to help the author in changing the code to make it fully compliant with the WordPress guidelines.

    http://wordpress.org/extend/plugins/cookie-control/

  2. esmi
    Forum Moderator
    Posted 2 years ago #

    I've asked for the plugin to be investigated.

  3. mentalist3d
    Member
    Posted 2 years ago #

    Thanks for the quick response, hopefully the code can be tweaked slightly and cleaned up, or found that is safe to use, as the plugin will be useful to others for EU compliance.

  4. The base64 is used for images, which is acceptable. If there's more added in, though, that is a problem.

    What code did you remove to pull the link?

  5. mentalist3d
    Member
    Posted 2 years ago #

    Thanks for the update Ipstenu, that's reassuring to know it's just for images.

    If you edit the cookieControl-4.1.min.js file

    Look for the following code and remove it:

    <p class="ccc-about"><small><a href="http://www.civicuk.com/cookie-law" target="_blank" >about this tool</a></small></p><a class="ccc-icon" href="http://www.civicuk.com/cookie-law" target="_blank" title="About Cookie Control">About Cookie Control</a>

  6. Huh. I see why he thinks it's okay. That's ... well. We do allow some 'powered by' links within reason, but this one is really iffy.

  7. marksteven1
    Member
    Posted 2 years ago #

    Hi Ipstenu,

    The link back to the Cookie Control pages is there for two reasons:

    1) there's information there to inform users what the tool is for.
    2) we want to make the tool as widely available as possible - thus increasing user understanding and raising opt-in rates.

    We've developed the tool in collaboration with government, and it is the recommended solution within the Scottish Government. If you're in any doubt about the authenticity of the tool, this list of sites using it should set your mind at ease:

    [ Thank you, we get it, the code is being used by government web sites. ]

    CIVIC doesn't stipulate many restrictions on using the tool, except that the link must be maintained and the iconography used - there are good reasons for this.

    And please bear in mind that while CIVIC is benefitting from publicity around this, we have worked hard to develop a solution and make it available freely, for the whole community to use.

    Cheers,

    Mark

    Mark Steven
    Head of Client Services, CIVIC

  8. CIVIC doesn't stipulate many restrictions on using the tool, except that the link must be maintained and the iconography used - there are good reasons for this.

    I'm not a plugin reviewer, and my opinion should be taken with a grain of salt, but that restriction may violate the GPL requirement for listing your plugin here.

    Any software from the WordPress repository needs to be restriction free in a way that is compatible with the GPL. That doesn't mean you don't get credit for your work, but it does mean I (the user) can delete the link or the iconography if I choose to.

  9. esmi
    Forum Moderator
    Posted 2 years ago #

    We've developed the tool in collaboration with government, and it is the recommended solution within the Scottish Government.

    Having worked with local government (including some in Scotland) - and with all due respect - this is not any real endorsement. Nor, as Jan says, does it have any impact on whether the plugin complies with WPORG's plugin submission guidelines.

  10. mentalist3d
    Member
    Posted 2 years ago #

    And please bear in mind that while CIVIC is benefitting from publicity around this, we have worked hard to develop a solution and make it available freely, for the whole community to use.

    I appreciate that you have made the tool freely available (with restrictions), but you benefit greatly from the link backs.

    I have a site with over 1000 pages, WordPress and the Theme developer have 1 link on each page, so over 1000 links. I am fine with this because both the software and theme are core/critical components to the site.

    Why should I be giving Civic UK, 2 links per page (over 2000 links), for a tool, which isn't a critical or core component of the site, especially since on the Civic UK site it is stated:

    Cookie Control alone may not be enough to guarantee compliance with regulations and responsibility for this is not ours.

    The Civic UK site is getting a lot of link juice back from various sites for a tool that may not even make a site compliant, and even worse, you are getting more links back than what is being provided to WordPress or the theme developers in a typical wordpress installation.

  11. marksteven1
    Member
    Posted 2 years ago #

    We've agreed with the plugin developer that the link can be removed from the user interface (so @mentalist3d, no more 1000 links).

    We would request users to include a link to the tool however, a suitable place being their privacy policy.

    Hope that solution is acceptable to everyone.

  12. hairyhobo
    Member
    Posted 1 year ago #

    Question - what is the point to this plugin if it does not make your site comply with regulations?

  13. marksteven1
    Member
    Posted 1 year ago #

    @hairyhobo... if you can be specific about what you're trying to achieve, perhaps we can help you.

  14. hairyhobo
    Member
    Posted 1 year ago #

    Well if the Cookie Control site puts a statement as above "cookie control alone may not be enough to guarantee compliance" on their site to cover their arse so they have no come backs, what use is the plugin?
    I see they are trying to help yet then tell you what we are telling you might not be enough, so what is the point?

  15. hairyhobo
    Member
    Posted 1 year ago #

    I was looking around for a plugin and to see if i actually need to put the cookie statement on websites ive built or are building. A friend of mine who keeps his eye on this more than i do said when they release the law change the next day they released something to say it didnt matter (sorry i dont have the full details). So i saw this and just asked really. If im missing something on my previous post do tell me....

  16. mentalist3d
    Member
    Posted 1 year ago #

    @hairyhobo. I no longer use this plugin, but an alternative cookie compliance plugin, so I wont make any direct comment about this particular plugin.

    Regarding the law being carried out, it appears that if you make the attempt at compliance, then your safe(ish.

    At first all cookies were meant to be blocked by default, but ICO appear to accept that cookies can be used, as long as they are disclosed in a cookie/privacy policy (what is being used and what for), and that you make an attempt to notify users that the site uses cookies.

    I personally hate the cookie law, but do comply with it on my main site (notifying users of cookies), but on other sites I do not bother.

    Depending on what type of sites you build, I would suggest you make a judgement on whether or not to install a cookie compliance plugin.

    If you are doing commercial work for a client, I would usually put in a cookie compliance notice, just in case the ICO does make an issue of the Cookie law, and at least your client may be protected.

    Personal sites, I wouldn't bother. You can also have a look at nocookielaw.com, to see their stance on the issue. They started of making compliance plugins, but then decided 'stuff it'.

    You would really have to seek legal advice. All I can say, is some sites probably should have some type of Cookie notice, just in case, and other sites can probably ignore the law. It's a total judgement call you need to make on a site-by-site basis.

  17. hairyhobo
    Member
    Posted 1 year ago #

    thanks for the view mentalist3d, which one do you use?

  18. mentalist3d
    Member
    Posted 1 year ago #

    I've started using - http://wordpress.org/extend/plugins/cookie-law-info/ as it's quite discreet for fitting into the design of a site, again it probably doesn't make the site 100% compliant. Some sites I just don't bother.

  19. hairyhobo
    Member
    Posted 1 year ago #

    cool, thanks for the link.

    Yes i spoke to my friend and he said EU ruling said that any legislation couldn't actually enforce any mandatory notification that cookies were or were not being used for tracking, so took it as not to bother but maybe stick on a site that collects data in some form.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic