The idea sounds promising. However, the question would be: How is the extension able to block scripts, that needs to be blocked. I think we're talking about analytics (like Google Analytics) and ad code (like Google AdSense)? How does your wiki add these scripts:

• Is it another extension?
• Is it added through a hook manually (like in LocalSettings.php)?
• Is it added by another script on the page (client-side JavaScript)?
• Is the code added in the skin/template?

There would be multiple ways of how the extension could _advertise_ if a user consented or not, however, that would mean, that the extensions (or the code) which adds relevant scripts/cookies needs to check this status on their side. This would require implementation on the other extensions as well.

This would, if I understood you correctly, also means a boolean decision only, right? Like: Yes, I want to consent (and therefore get all available scripts and cookies) or I do not consent (which means, I get necessary cookies and scripts only)?

I added you by momentum. I guess adding someone to the subscribers is the appropriate way to go.

About the task:

I have zero experience with MediaWiki's extensions, but I guess the easier way to implement this it would be for the scripts to be added through CookieWarning itself.

And yes you are right. It is a boolean decision, but the consent can be given for each script separately, with the exception of essential cookies that are always enabled by default. Have a look at the example I shared: https://www.freeprivacypolicy.com/cookie-consent/ to see how a GDPR compliant warning is designed. In their example click "Change my preferences". You can check numerous similar implementations online.

In T249248#6026736, @CostasAthan wrote:

I added you by momentum. I guess adding someone to the subscribers is the appropriate way to go.

No, please don't. Thanks. :)

but I guess the easier way to implement this it would be for the scripts to be added through CookieWarning itself.

That sounds impossible to do, as CookieWarning would need a way to intercept how scripts can be added and need to decide, if they should be loaded based on the consent given by the user, where the CookieWarning extension does not have any context to know that.

And yes you are right. It is a boolean decision, but the consent can be given for each script separately, with the exception of essential cookies that are always enabled by default. Have a look at the example I shared:

In this example, you can not change your consent based on each individual script, but based on specific categories (like tracking or advertisment). I think that would be the better way to go forward. I can think about a CookieWarning functionality, which provides a way to check for a specific other extension to check, if a user has a specific consent given or not.

However, this does not help us with the problem, that each extension, which adds cookies and (external) scripts need to check with CookieWarning beforehand. Is it right to assume, that this only applies to scripts and cookies added from _external_ sources? So not stuff, that is loaded completely on the same site (I would count all of these as "necessary for the functionality")?

Can you also please provide the information about what specific scripts we speak? So, how did you add scripts on your wiki, which are not "necesary", like ads? On my MediaWiki I've an own extension, which adds the adsense code for example. Did you do the same way?

That sounds impossible to do, as CookieWarning would need a way to intercept how scripts can be added and need to decide, if they should be loaded based on the consent given by the user, where the CookieWarning extension does not have any context to know that.

Can't the extension be the one that will be adding the code? In the example I gave, you have to paste the code given by Google Adsense for example in the respective textbox, and then the code that is generated to your website. I don't know though how the activation or deactivation works, I haven't even tried to check that out.

In this example, you can not change your consent based on each individual script, but based on specific categories (like tracking or advertisment). I think that would be the better way to go forward. I can think about a CookieWarning functionality, which provides a way to check for a specific other extension to check, if a user has a specific consent given or not.

However, this does not help us with the problem, that each extension, which adds cookies and (external) scripts need to check with CookieWarning beforehand. Is it right to assume, that this only applies to scripts and cookies added from _external_ sources? So not stuff, that is loaded completely on the same site (I would count all of these as "necessary for the functionality")?

Can you also please provide the information about what specific scripts we speak? So, how did you add scripts on your wiki, which are not "necesary", like ads? On my MediaWiki I've an own extension, which adds the adsense code for example. Did you do the same way?

I haven't added anything to my wiki till now. I have installed it on a local server and I'm adding content and customizing it before putting it online. What I have in mind if no other custom solutions are found is to directly add the code - from a website like the one I used in my example - to the skins of MediaWiki and check after every upgrade if it's still in place and if not then I will add it again. I plan to add Google Analytics for starters, no other scripts.

Indeed the example I shared has split the scripts into categories and activation or deactivation has to do with an entire category, but at the same time the users can add as many scripts as they wish. If activation and deactivation can be done at the level of a category, probably in the same way it could be done for each script separately. There are websites that have a full list of their scripts in the consent warning message, each one with their own activation/deactivation button. I'm not sure if GDPR specifies at which level consent should be possible, but my guess is that probably both approaches would be acceptable. That's something that has to be checked before moving forward with any modifications to the extension though.

Something I would like to bring to everyone's attention: An extension that embeds gtag.js to MediaWiki offers two ways of opting out from Google Analytics tracking:

1. It checks the Do Not Tracking setting of the browser before loading the script and does not load it if the user has the DNT enabled. (It also gives an option to ignore DNT.)
2. By adding the "gtag-exempt" user right to the groups the administrator wishes. MediaWiki's user's that belong to groups with this certain right are not tracked.

Maybe it is possible to follow similar methodologies as this extension does or even interact with the GTag extension for the inclusion of Google Analytics to CokieWarning. Of course the later I guess is something that can happen only with the author's ( @Skizzerz ) collaboration.

CookieWarning should expose custom hooks that other extensions that integrate with it can use:

1. A way for extensions to tell CookieWarning what other cookies they are setting which would require consent and which categories they belong to. This is best accomplished by a custom hook imo
2. A way for extensions to check whether consent was given for a category in question. This is best accomplished by an API that extensions can call (e.g. a public static function) imo.

Actually loading the scripts would still be the responsibility of the individual extensions after consulting the above.

Of course if CookieWarning isn’t installed, the extensions would fall back to normal operation (not tracking consent).

In T249248#6049106, @Skizzerz wrote:

1. A way for extensions to tell CookieWarning what other cookies they are setting which would require consent and which categories they belong to. This is best accomplished by a custom hook imo

Do we really need such a hook? Aren't categories like

• "functional" (which never can be "deactivated")
• "tracking" (like Google Analytics, matomo or whatever tool that tracks the user, probably also EventLogging?)
• "advertising" (like Google AdSense or any other advertisers, which are shipped from external sources)

enough? Especially speaking about how additional categories are described (by a message, e.g.) is probably too much overhead in the first version of such an enhanced consent thingy?

2. A way for extensions to check whether consent was given for a category in question. This is best accomplished by an API that extensions can call (e.g. a public static function) imo.

Does this need to be done in the backend (php side) or better in the frontend? I think about mediawiki hooks (mw.hook) in the frontend, which extensions can use to subscribe to a specific event, which is fired when the user consents to the cookies. This would allow an extension to even load scripts or do it's job for the current page view, when the user is accepting it in this page load (such as still shipping ads or recording this page view).

We would still need a backend function, which tells other extensions, that this feature is actually available or not. Also, we need to find an efficient way of transmitting the information if consent is given on later page loads. Maybe both ways? A backend static function which evaluates the consent based on the cookie, and a frontend hook for whenever the consent is changed on the current page load?

Actually loading the scripts would still be the responsibility of the individual extensions after consulting the above.

I think this is something we can not do in another way. CookieWarning should not need to know which scripts/cookies other extensions are loading or using, this would be too much overhead.

Of course if CookieWarning isn’t installed, the extensions would fall back to normal operation (not tracking consent).

Based on the frontend solution I described above, this would be the feature of the backend static function to find out, if the extension is installed and if the consent feature is available.