SUMMARY On https://kde.org/community/whatiskde/impressum Firefox shows === Blocked by X-Frame-Options Policy An error occurred during a connection to stats.kde.org. Firefox prevented this page from loading in this context because the page has an X-Frame-Options policy that disallows it. === STEPS TO REPRODUCE 1. Open https://kde.org/community/whatiskde/impressum 2. Scroll down Information logged in browser console: === 16:33:09.226 Loading failed for the <script> with source “https://stats.kde.org/matomo.js”. impressum:1:1 16:33:09.477 Load denied by X-Frame-Options: “sameorigin” from “https://stats.kde.org/index.php?module=CoreAdminHome&action=optOut&language=de”, site does not permit cross-origin framing from “https://kde.org/community/whatiskde/impressum”. 16:33:09.577 No strings exist for this error type aboutNetError.js:439:13 setNetErrorMessageFromCode chrome://browser/content/aboutNetError.js:439 === Additional information: * I'm using Firefox with very strict tracking protection including "Do Not Track". * Loading of matomo.js is blocked by uBlock Origin.
I am not sure what we can do here. That frame is there to let you opt out of matomo tracking you, but since you're blocking matomo the frame doesn't load.
That's why I've rated it as "minor" issue. The text could be changed if we detect that tracking is blocked (but I don't know how to detect this). Currently, it reads "If you do not agree with the storage and evaluation of your data from your visit, then you can opt-out of storage and usage via a mouse click.", but then there's just an error instead of an opt-out button. An evil lawyer could probably sue us. In fact, it's even worse. According to a recent ruling of the German highest court (Bundesgerichtshof) the visitors of our websites have to opt-in explicitly into tracking. Tracking them by default with the option to opt-out is against the law. Maybe websites have already been changed accordingly and ask the users for active consent.
(In reply to Ingo Klöcker from comment #2) > That's why I've rated it as "minor" issue. > > The text could be changed if we detect that tracking is blocked (but I don't > know how to detect this). Currently, it reads "If you do not agree with the > storage and evaluation of your data from your visit, then you can opt-out of > storage and usage via a mouse click.", but then there's just an error > instead of an opt-out button. An evil lawyer could probably sue us. > > In fact, it's even worse. According to a recent ruling of the German highest > court (Bundesgerichtshof) the visitors of our websites have to opt-in > explicitly into tracking. Tracking them by default with the option to > opt-out is against the law. Maybe websites have already been changed > accordingly and ask the users for active consent. I'm not a lawyer and totally not a german lawyer, but IMHO we don't do anything that can be considered tracking, we just count visits. Actually the only way to say you don't want to be counted is for us to actively start tracking you (i.e. give you a cookie)
I recently updated the matomo scripts to disable the cookie tracking following this instruction (https://matomo.org/faq/general/faq_157/). This makes the analytics less 'good' but allows us to not have to include a cookie consent banner since we aren't tracking visitors anymore. It is now just counting the page views and the returning visitor statistic is less precise than before but for the current usage of matomo this is more than enough. More info: https://matomo.org/cookie-consent-banners/
Okay. Sounds good. But let's see if I understand correctly: * By default, we do not set any cookies. * If I opt-out, then we set a cookie and we stop counting visits. But then the text on the website should be changed/updated. It talks about cookies used by Piwik (Piwik should be changed to Matomo), but Matomo doesn't set cookies anymore (except when you opt-out).
Thanks for the report. I have changed the response headers and now the opt-out screen is displayed properly in the impressum page. Details: The kde.org impressum displayed the opt-out page in a frame, and stats.kde.org sends an X-Frame-Options header saying it's not allowed to be displayed in a frame in another hostname. I have now added an exemption: the opt-out screen ("query string contains &action=optOut") is allowed to appear in a frame in kde.org ("Content-Security-Policy: frame-ancestors 'self' https://kde.org"). This fixes the immediate problem, but as discussed later maybe we need to change text elsewhere if we don't set tracking cookies anymore...