Bug 424124 - Blocked by X-Frame-Options Policy on https://kde.org/community/whatiskde/impressum
Summary: Blocked by X-Frame-Options Policy on https://kde.org/community/whatiskde/impr...
Status: RESOLVED FIXED
Alias: None
Product: www.kde.org
Classification: Websites
Component: general (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR minor
Target Milestone: ---
Assignee: kde-www mailing-list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-12 14:46 UTC by Ingo Klöcker
Modified: 2020-07-12 17:27 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Klöcker 2020-07-12 14:46:38 UTC
SUMMARY
On https://kde.org/community/whatiskde/impressum Firefox shows
===
Blocked by X-Frame-Options Policy

An error occurred during a connection to stats.kde.org.

Firefox prevented this page from loading in this context because the page has an X-Frame-Options policy that disallows it.
===

STEPS TO REPRODUCE
1. Open https://kde.org/community/whatiskde/impressum
2. Scroll down

Information logged in browser console:
===
16:33:09.226 Loading failed for the <script> with source “https://stats.kde.org/matomo.js”. impressum:1:1

16:33:09.477 Load denied by X-Frame-Options: “sameorigin” from “https://stats.kde.org/index.php?module=CoreAdminHome&action=optOut&language=de”, site does not permit cross-origin framing from “https://kde.org/community/whatiskde/impressum”.

16:33:09.577
No strings exist for this error type aboutNetError.js:439:13
    setNetErrorMessageFromCode chrome://browser/content/aboutNetError.js:439
===

Additional information:
* I'm using Firefox with very strict tracking protection including "Do Not Track".
* Loading of matomo.js is blocked by uBlock Origin.
Comment 1 Albert Astals Cid 2020-07-12 15:11:33 UTC
I am not sure what we can do here.

That frame is there to let you opt out of matomo tracking you, but since you're blocking matomo the frame doesn't load.
Comment 2 Ingo Klöcker 2020-07-12 15:46:36 UTC
That's why I've rated it as "minor" issue.

The text could be changed if we detect that tracking is blocked (but I don't know how to detect this). Currently, it reads "If you do not agree with the storage and evaluation of your data from your visit, then you can opt-out of storage and usage via a mouse click.", but then there's just an error instead of an opt-out button. An evil lawyer could probably sue us.

In fact, it's even worse. According to a recent ruling of the German highest court (Bundesgerichtshof) the visitors of our websites have to opt-in explicitly into tracking. Tracking them by default with the option to opt-out is against the law. Maybe websites have already been changed accordingly and ask the users for active consent.
Comment 3 Albert Astals Cid 2020-07-12 16:05:13 UTC
(In reply to Ingo Klöcker from comment #2)
> That's why I've rated it as "minor" issue.
> 
> The text could be changed if we detect that tracking is blocked (but I don't
> know how to detect this). Currently, it reads "If you do not agree with the
> storage and evaluation of your data from your visit, then you can opt-out of
> storage and usage via a mouse click.", but then there's just an error
> instead of an opt-out button. An evil lawyer could probably sue us.
> 
> In fact, it's even worse. According to a recent ruling of the German highest
> court (Bundesgerichtshof) the visitors of our websites have to opt-in
> explicitly into tracking. Tracking them by default with the option to
> opt-out is against the law. Maybe websites have already been changed
> accordingly and ask the users for active consent.

I'm not a lawyer and totally not a german lawyer, but IMHO we don't do anything that can be considered tracking, we just count visits. Actually the only way to say you don't want to be counted is for us to actively start tracking you (i.e. give you a cookie)
Comment 4 carl 2020-07-12 16:13:31 UTC
I recently updated the matomo scripts to disable the cookie tracking following this instruction (https://matomo.org/faq/general/faq_157/).

This makes the analytics less 'good' but allows us to not have to include a cookie consent banner since we aren't tracking visitors anymore. It is now just counting the page views and the returning visitor statistic is less precise than before but for the current usage of matomo this is more than enough.

More info: https://matomo.org/cookie-consent-banners/
Comment 5 Ingo Klöcker 2020-07-12 16:37:47 UTC
Okay. Sounds good. But let's see if I understand correctly:
* By default, we do not set any cookies.
* If I opt-out, then we set a cookie and we stop counting visits.

But then the text on the website should be changed/updated. It talks about cookies used by Piwik (Piwik should be changed to Matomo), but Matomo doesn't set cookies anymore (except when you opt-out).
Comment 6 Nicolás Alvarez 2020-07-12 17:27:01 UTC
Thanks for the report. I have changed the response headers and now the opt-out screen is displayed properly in the impressum page.

Details: The kde.org impressum displayed the opt-out page in a frame, and stats.kde.org sends an X-Frame-Options header saying it's not allowed to be displayed in a frame in another hostname. I have now added an exemption: the opt-out screen ("query string contains &action=optOut") is allowed to appear in a frame in kde.org ("Content-Security-Policy: frame-ancestors 'self' https://kde.org").

This fixes the immediate problem, but as discussed later maybe we need to change text elsewhere if we don't set tracking cookies anymore...