Opt-out using the Matomo JavaScript Tracker code is triggert by page reload

AVA · October 10, 2022, 9:22am

After update matomo to 4.12.0 and replaced the legacy iframe opt-out with the new opt-out using the matomo javascript tracker code, the opt-out status is not saved or is exactly the opposite of the selected status after a page reload.

This matomo tracker js code is placed before </body>, but eaven in the <head>, the opt-out status is not saved correctly:

<script>
    var _paq = window._paq = window._paq || [];
    _paq.push(["disableCookies"]);
    _paq.push(['disableBrowserFeatureDetection']);
    _paq.push(['trackPageView']);
    _paq.push(['enableLinkTracking']);
    (function() {
        var u="https://stats.REMOVED.de/";
        _paq.push(['setTrackerUrl', u+'matomo.php']);
        _paq.push(['setSiteId', '1']);
        var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
        g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
    })();
</script>

opt-out code in the page content (TYPO3 CMS):

<div id="matomo-opt-out"></div>
<script src="https://stats.REMOVED.de/index.php?module=CoreAdminHome&action=optOutJS&divId=matomo-opt-out&language=auto&showIntro=1"></script>

Strangely enough, the cookie “mtm_consent_removed” is sometimes set when the page is opened, even though the opt-out form checkbox is checked. After a page reload, the opt-out form checkbox is not active and the cookie is gone. Shouldn’t it be the other way around? After another reload of the page, the opt-out form checkbox is set again and the cookie “mtm_consent_removed” is also there again. If the checkbox is deactivated by clicking on it, the cookie is set correctly. But if i reload the page, the cookie is gone. I suspect there are errors in the script that controls the new opt-out form.

Browser security/privacy settings default.

Matomo-Version: 4.12.0
MySQL-Version: 10.5.17-MariaDB-1:10.5.17+maria~deb10
PHP-Version: 8.1.11

AVA · October 10, 2022, 10:10am

Update: Without the matomo tracking code on the page, it works like expected. I now use the standalone/self-contained opt-out code and everything works.

heurteph-ei · October 10, 2022, 5:32pm

There has been changes on the opt-out:

github.com/matomo-org/matomo

Offer opt out without iframe / 3rd party cookies

opened 10:19PM - 12 Apr 21 UTC

closed 04:08AM - 09 Sep 22 UTC

tsteur

Critical c: Privacy

3rd party cookies work less and less and eventually won't be available anymore. …Kind of related post https://matomo.org/blog/2020/02/new-cookie-behaviour-in-browsers-may-cause-regressions/ For the opt in to work we therefore need a different way and set first party cookies. Matomo for WordPress already doesn't use the opt out iframe anymore and sets first party cookies. In On-Premise as part of https://github.com/matomo-org/matomo/issues/12767 we already added the support of `postMessages` to set first party cookies when possible. This however currently only works in some cases (eg when the tracking code is embedded on the same page and both opt out and tracking code use the same Matomo domain). In the future ideally we show a message in the opt out iframe when it won't work because eg there's no tracking code on the privacy policy page. We might even want to completely remove the third party cookie part (however we'd still need to detect it when it's set and not track to not break BC and to not suddenly start tracking users that oped out previously). Maybe we could even remove the domain check and opt users out in more cases even if there is a mismatch between the opt out iframe and the tracking domain on the privacy policy page. Or maybe we would need to offer a new way of embedding the opt out without any iframe. This would likely require loading another JS and some configuration to customise it and for Matomo to know where to place it (unless this is all stored in a JS file and the user can configure multiple different JS opt out files).

Is it linked to this change?

AVA · October 11, 2022, 9:13am

Probably, i am not sure. Before this change or before matomo 4.12.0 i used the legacy iframe opt-out with the “custom opt-out” plugin.

Another issue with new opt-out js code is, if you use no consent tool (because of disabled tracking cookies) and use the default standalone js code from the admin opt-out ui, the checkbox of the opt-out form is always uncheckt by default, because no consent cookie is found. This is wrong in my eyes/usecase, because matomo tracking does not need consent by default. I have added an if statement to the function hasConsent to check if both cookies are missing and then return true.

utrautma · October 19, 2022, 1:10pm

I see that as a bug too. I created an issue. New Opt-out solution: checkbox is OFF per default even though I’m being tracked · Issue #19888 · matomo-org/matomo (github.com)