[Craft 4] Error when accepting cookies on iOS devices

[ebarbe-globalia]

Problem:
When clicking on Accept All on iOS devices, the page is redirected to the action url for cookie consent, and just the string true is displayed. The form seems to be submitted onto the same page instead of using an ajax request.

Steps to reproduce:

• Add the hook {% hook 'after-body-start' %} to your template.
• Activate Load plugin default JS assets. on plugin configuration.
• Open the page on an iOS device
• Click on Accept All
  Page displays a true string instead of the current template.

Version details:

• Craft 4.12.0
• GDPR Cookie Consent 4.0.4

[JulieVelghe]

@jellingsen some more info on this one, since it happens on desktop as well.
the display true only seems to happen once, the first time I open a (sub)site after the cookie consent is activated in the backend.
When I put my cursor in the url part of the browser and press enter (not ctrl+f5, that doesn't work), then the 'true' goes away and i'm back on the site.

I can then browse the site without constantly getting the popup, but when I do open the popup, and I try to save any setting, it doesn't seem to save anything. The page gets reloaded, I can see the consents in the admin, but when re-opening the popup, nothing is checked.

[jellingsen]

Thank you for the additional information, @JulieVelghe. I'll try to reproduce now, and see what I can find.

[jellingsen]

@JulieVelghe

I can then browse the site without constantly getting the popup, but when I do open the popup, and I try to save any setting, it doesn't seem to save anything. The page gets reloaded, I can see the consents in the admin, but when re-opening the popup, nothing is checked.

Do you get a CORS-error in the network tab in developer tools when this happens?

[JulieVelghe]

@jellingsen I did get one, but I've adjusted my htaccess file and no longer get that cors error, but the cookie issues remains.

my htaccess is like this:

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.|preview\.|staging\.|local\.)?(busleydenatheneum.be|babotaniek.be|bacaputsteen.be|badebeemden.be|bahbo5.be|banekkerspoel.be|bapitzemburg.be|bastassart.be|bazandpoort.be|baverpleegkunde.be)$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
    Header set Access-Control-Allow-Headers *
    Header merge Vary Origin
</IfModule>

<IfModule mod_headers.c>
    Header always set Permissions-Policy: interest-cohort=()
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Redirect www to non-www
    RewriteCond %{HTTP_HOST} ^www\.(busleydenatheneum.be|babotaniek.be|bacaputsteen.be|badebeemden.be|bahbo5.be|banekkerspoel.be|bapitzemburg.be|bastassart.be|bazandpoort.be|baverpleegkunde.be)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    # Redirect bahbo5.be to baverpleegkunde.be
    RewriteCond %{HTTP_HOST} ^bahbo5\.be$ [OR]
    RewriteCond %{HTTP_HOST} ^www\.bahbo5\.be$
    RewriteRule ^(.*)$ https://baverpleegkunde.be/$1 [L,R=301]

    # Redirect staging bahbo5.be to baverpleegkunde.be
    RewriteCond %{HTTP_HOST} ^staging\.bahbo5\.be$
    RewriteRule ^(.*)$ https://staging.baverpleegkunde.be/$1 [L,R=301]

    # Send would-be 404 requests to Craft
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !^/(favicon\.ico|apple-touch-icon.*\.png)$ [NC]
    RewriteRule (.+) index.php?p=$1 [QSA,L]
</IfModule>

I did notice, when I change my cookie preferences on the main site, and than go to another page and check them again, the changes remain. So apart from that 'true'-bug, the cookie preferences seem to be saved on the main site.

[jellingsen]

@JulieVelghe is this a localhost-issue, or do you experience it on production as well? The only way I'm able to reproduce what you are explaining is hen the site is opened with http and posts to https and thus gets a CORS-error.

@ebarbe-globalia I'm unfortunatly unable to reproduce locally on my iPhone 14 with ddev over the local network. Could you point me to the site that you experience this so I can have a look at it directly?

[JulieVelghe]

Hi @jellingsen , I'm having the issue on local and on the staging and production as well.
On production I have the constant popup, on local and staging I have the 'true'-bug, as I've added the new hook on those environments.
Here is the staging link for the main site : https://staging.busleydenatheneum.be/
and for a subsite: https://staging.banekkerspoel.be/
both have https.

[JulieVelghe]

hi @jellingsen ,
I've been messing around my staging environment some more. I tried to invalidate the consents, which I would think means a reset of sorts?
On the main site, the cookies are being saved perfectly, no strangs things there. On the subsite however, I'm getting the constant popup again. You can see it in action on the staging url's I put above.

So thats a setup with craft 4.13.9 and cookie consent 4.0.4, and the extra after-body-start hook and Header set Access-Control-Allow-Headers * and https.

I've just looked at my production, setup there is also https, craft 4.13.9, cookie consent 4.0.4, but there I don't have the the body start hook, headers in htaccess aren't adjusted and I haven't yet invalidated the consents there.
Issues seem the same as on the staging. Main site seems to save the cookies, subsites get constant popups.

I think the 'true'-bug only happens the one time when you freshly activate the cookie consent for a site.

[jellingsen]

Hi @JulieVelghe
Thank you for debugging information. It looks like the subsite is not passing the CraftSessionId cookie with the ajax endpoint - can you confirm that you observe the same behavior?

[JulieVelghe]

@jellingsen for some more comparisons, we have another site, [https://ilvo.vlaanderen](https://ilvo.vlaanderen.be/](https://ilvo.vlaanderen.be/en), where we also have the cookie consent 4.0.4, but an older craft (4.12.8), there everything still works fine.

[JulieVelghe]

@jellingsen how can I check that behaviour?

when I look in the cookies, I can see the CraftSessionId cookie for the subsite:

Where do I check the ajax endpoint exactly?

[jellingsen]

Yeah, the cookie is set, but its not passed with the request headers it seems.

[JulieVelghe]

@jellingsen , I can confirm the behaviour. Below some screenshots:

request cookies from main site:

Subsite doesn't seem to have any request cookies at all:

Headers on the main site:

headers on the subsite (indeed missing the craft session id):

[jellingsen]

Yeah, ofcourse its not sending the cookies - its sending the request to another domain, the main site.. It must send it to the subsite..

[JulieVelghe]

@jellingsen this is not something that we can fix, but has to be fixed by you then?

[ebarbe-globalia]

@ebarbe-globalia I'm unfortunatly unable to reproduce locally on my iPhone 14 with ddev over the local network. Could you point me to the site that you experience this so I can have a look at it directly?

@jellingsen We are experiencing this issue with https://www.jsheld.com/

[JulieVelghe]

hello @jellingsen , any news on a possible fix for this issue?