Dear Sirs and Madams,
we have encountered a problem with CookieBot, when running on security hardened webseites.
To secure our website against Cross Site Scripting attacks we defined commonly used "Content Security Policy" Headers. This helps to controls, e.g. which script can be loaded from what locations and in this case: prevent the danger of scripts loading scripts afterwards (uncontrolled by us) on their own.
CookieBot is NOT able to run, with this security setup.
This prevents other Scripts that rely on cookies, to work (e.g. tracking code).
I guess, we are not the only company, who want's to take care of the content and scripts we deliver and to prevent danger from us and from our website visitors.
Can you please write a statement, if you are planning to update your product or you require your customers to open their websites to hacking issues.
=== Details ===
Following up are more technical details.
Please take a look at https://www.akquinet.de
If you open it cleared cookies, the popup appears. Choosing "use necessary cookies only" works. Option "Allow all cookies" results in a failure (see browser developer tools)
uc.js:1 Refused to load the script 'https://consentcdn.cookiebot.com/consentconfig/....state.js' because it violates the following Content Security Policy directive: script-src www.google-analytics.com https://cdn.jsdelivr.net https://consent.cookiebot.com 'self'
It appears to be on inserting a new script source:
An issue on the same topic with an "eval()" statement in CookieBot code seems to be disappeared over the last weeks :)
If you need further information, please let me know.
Please sign in to leave a comment.