Why would __tcfapi not be defined on CONSENT_DATA_READY? - cookies

I have this code for many years, implementing TCFv2 cookie consent with Google Funding Choices.
window.googlefc.callbackQueue.push({
'CONSENT_DATA_READY': function () {
/* __tcfapi is undefined!! */
return __tcfapi('addEventListener', 2, function (tcData, success) {
if (success
&& tcData.gdprApplies
&& (tcData.eventStatus === 'tcloaded' || tcData.eventStatus === 'useractioncomplete')
&& tcData.purpose.consents[1]) {
...
}
});
}
});
It works 99.99% of the time, it has appeared so.
However, today, one of my Chrome profiles seem to have got "broken", in that whenever this CONSENT_DATA_READY event is triggered, __tcfapi is not defined.
I tried a number of things, like making sure all extensions are disabled, close Chrome and re-open it, clear just my domain's cookies, etc, but nothing worked. All other Chrome profiles were working well all the time.
I compared the "Sources" tab in DevTools between two Chrome profiles (on the same webpage), and the one working well had a few more scripts loaded and iframes loaded (TCF-specific iframes).
Only when I cleared all the cookies (including the "google.com" scoped cookies), this issue got fixed.
--
I've just released a temporary piece of code, that checks if __tcfapi is undefined in that spot and reports that to the server (this user data will be fully erased as soon as this test is complete), and I see that a small subset of my users is having this issue right now.
EDIT 18 Dec - 181 distinct European users reported so far.
--
I'm not able to find any solution by doing some research. I found someone on Reddit (in the comments) having the same issue as me, and they "resolved" by just removing the event. Other places that report issues with __tcfapi seem to be a slightly different error, like __tcfapi is not a function, which is not the issue I'm having.
--
This looks like it's a bug from Google Funding Choices, but does anyone have any idea how to "auto-fix" this or what can I do so that these users will stop getting this error and proceed as expected?

NB: This is a complete re-edit to reflect the discussion with the questioner.
Some thoughts.
On Error 2.1a
I first suspected that your problem may correspond to Error 2.1a, which is also indicated by the discussion in the GFC community thread you pointed at. The suggested official solution would be to check whether getTCData returns TCData.eventStatus = 'tcloaded' first.
That may work in other cases, however you pointed out -- and added corresponding code -- that you already check on tcloaded but the problem of an undefined __tcfapi seems to occur even before that flag is even created.
Another look on the problem's origin
The GFC community thread of 2020, the TCFv2 standardization history
and the circumstance that the thread has been closed indicate that the problem mainly existed before the final implementation of TFCv2 in Google Funding Choices. That corresponds to the fact that the described behavior infringes the TCFv2 Specification in the following:
Every consent manager MUST provide the following API function: __tcfapi(command, version, callback, parameter). The function __tcfapi must always be a function and cannot be any other type, even if only temporarily on initialization – the API must be able to handle calls at all times.
However, it's not unreasonable that there are still some older implementations out there in the wild which may cause this problem at some clients.
Interestingly enough, you observed that on your side one of your Chrome profiles got "broken" in the described way and only the clearing of all cookies, incl. the "google.com" scoped ones, fixed the issue.
And now?
At first it would be interesting to check for
the tcfPolicyVersion used by the problematic clients, and
differences between the temporarily "broken" Chrome profile and the other, working ones.
It also can't hurt to take a look on the official site on Publisher integration with the IAB TCF v2.0 in case some useful gem is hidden which we currently overlook.
On the other hand it could well be that this -- probably rare -- problem will resolve by itself over time when
all clients have been updated and support the final implementation of TCFv2, and/or
your affected users either someday delete all their Google domained cookies themselves or those time out, and fresh cookies get introduced.
It seems reasonable to assume, that your current patch -- to check whether __tcfapi is undefined -- may be indeed a (fairish) suitable fix, at least for now.

Related

Presentation Details are shared across versions

I've been wondering if anybody knows why the Presentation Details (stored in the Renderings field) are shared across all languages and versions by default?
I had confirmed this was the intended behaviour of 'shared' field with these links:
This SO post:
In Sitecore, when adding a field to a template, there's a checkbox called "shared". What's it for?
And this SDN resource:
http://sdn.sitecore.net/sdn5/reference/sitecore%205,-d-,3/field%20reference/field%20properties/data%20properties.aspx
The situation
As an author, I have created a new page and pushed it through workflow approval. Everything is great, and the page is published. The next day, I want to make some changes so I open up Page Editor, a new version is created, and I start adding and removing components on the page.
The problem
As soon as I hit save, the approved and published version of my page is also affected. The history of my previous layout is gone. As soon as a Site Publish is executed by somebody (or a scheduled PublishAgent executes) my page in the Web database will be updated.
Sure, the datasource of my new components that I added may not be published yet, but what if I added an existing datasource that was already approved? My removals also are immediate.
The desired goal
I'd like to be able to version these changes, and changing the field to no longer be shared seems like the right way to go. In my case, with a unilingual site, this won't impact the multilingual aspect of it.
Does anybody know why this field is shared across versions? If I unshare it, am I completely breaking the upgrade path?
I've just been "having a chat" with Sitecore support on this very issue. The concensus seems to be - paraphrasing what they said a bit - "We think it'll be fine if you change it. You should test it thoroughly, rendering deltas, page editor Work and so on".
I can add a few comments of my own; unchecking "shared" on __renderings, does appear to Work. At least at the initial glance. I've heard about this being done in solutions before and I've never heard any ill effects come from it.
And yet; whenever you mention it; you get a LOT of nervous responses and comments like "you really shouldn't be messing with Sitecore standard setup". And while a valid point indeed, I'd like to add a point of my own to this debate:
Given that, from an API perspective, there is very few things that are different when reading a field value from a "shared" field as opposed to a versioned one - I also believe there are very few potential cases where "unsharing" it would pose a problem.
Or in other words - I consider it low risk. But I've never had a real life solution running in a live environment either, with this setting changed :-)
I'm sorry, but I don't have a direct answer to your question - WHY Sitecore set it up like this, I belive to be part of Sitecore's heritage: The idea that multiple language versions of a site should be just "layered" versions of the exact same pages and therefore presentation details might as well be shared - presumably for some performance gain. I am not entirely convinced this vision still quite holds today - where editors daily "page edit up" new components on new versions, and set up special sale banners and related content weeks in advance.
I completely agree with and am thankful for the Mark Cassidy March 3 2014 answer to this. Since then, in Sitecore 8.0 they added "Versioned Layouts".
See:
https://dev.sitecore.net/en/Downloads/Sitecore%20Experience%20Platform/8%200/Sitecore%20Experience%20Platform%208%200/Release%20Notes "Versioned layouts – a different presentation set on different versions of different languages for the same item".
nice post: http://jockstothecore.com/sitecore-8-versioned-layouts-mixed-feelings/
This is the default behavior of sitecore as you mentioned in the post. Its not always good practice to change that. This topic has been dicussed earlier which might help you
Setting __Renderings field not shared in Sitecore consequences?
Here is a blog post about considerations for doing this:
Unsharing the Layout field in Sitecore - a multi-language strategy
That said, I've worked on a project where our client went in and did this themselves. It caused problems. As I recall, they unshared the __renderings field and all prior versions lost their presentation settings. Also, other languages other than the selected one also lost their settings. We had to do a DB restore and get things back and told them never to do that again. If you are considering this, read the blog post about, and do some isolated dry runs as it may expose issues you weren't aware of (e.g. impacting other languages, old versions, etc.).

Workaround for - graph api bug

Can anyone provide a workaround for this bug
Our app is managing a lot pages with many posts, but since 5 days ago we've had huge problems with that bug.
90% of our posts gain the above described error, 10% are working well.
After many hours of testing we know it's something about the "link" parameter.
Without it, we can post without any errors.
We tried to only post our images without the link parameter but after a hour of posting correctly we got a new error.
(#368) The action attempted has been deemed abusive or is otherwise disallowed. Interesting that posting an image without a link parameter is abusive.
We tried to regenerate all user_tokens and page_tokens but no success, the error still exists.
We tried to pause the service for 24 hours and start it again, no effect.
Does anyone have an idea or a workaround for this bug?
It doesn't seem that it was patched on Tuesday. Because of that we need a solution, we can't hold the service down for one more week.
the workaround from "thefreeman" works for me also:
add more admin(s) to the pages
generate tokens for the new admin
juggle the tokens to stay below limit
Limit per account (for me) seems to be about 150 posts per day.
Limit seems to reset at a certain point in time. Midnight at facebook?
(i am managing 60 Pages and posting roughly 200 updates per day.)
certainly not a nice solution, but the bugs in the fb-bugtracker don't seem to get too much attention :(
sometimes i get a new error: "OAuthException (#1500) The url you supplied is invalid".
Trying again later with the same data works though...

Coldfusion 10: Method is not found in component

Since we installed ColdFusion 10, we have received several error messages such as
"Method ifspDueDt is not found in component [fullpath]\incTabCnt.cfc."
We are trying to call a method named ifspDueDt. It is called in one place in our entire application and when it's called, it's called from ifsp.cfc. We use engine.js for our AJAX, so the call looks like this:
http('POST','../Components/ifsp.cfc?method=ifspDueDt', IFSPDueDtResp, param);
We are completely baffled by the fact that for some reason and only on some occasions (certainly not all the time), ColdFusion is looking for ifspDueDt in incTabCnt.cfc instead of ifsp.cfc. There is no other place where this method is called. What could be causing this?
We probably get 1-2 of these errors per week, whereas we have several hundred users accessing the system.
It looks like ColdFusion 10 update 3 solves this problem, at least for the code I'm working on. Having said that, I don't yet recommend upgrading, due to a series of other issues with update 3. See the comments on the CF blog post announcing update 3. Note that at least two other people have posted in that comment thread that they are still experiencing the "wrong page displayed" problem, which seems like it's closely related to the "wrong component" problem we're discussing in this question.
We were fortunate that we don't use CF scheduled tasks, and we did not hit any of the startup errors or other problems in our testing environment, although one of my teammates did hit a number of problems which corrupted his dev environment.
I really hope Adobe moves quickly with update 4 (or a replacement for update 3).

ColdFusion occasionally returns just a hash symbol (#)

We have one page that for just one user is occasionally returning nothing but a hash symbol (#). This page works perfectly fine for other users all of the time, and perfectly fine for this user much of the time. We cannot reproduce the problem internally. Unfortunately, this problem is sporadic and occurs within a modal dialog, so we cannot really test outside the modal dialog and we cannot get the html source when it does occur.
I recall running into a similar problem once before. Some random page was returning just a pound sign. Being able to see what was actually going on since it wasn't in a modal dialog, and having it occur in a dev environment, I resolved it pretty quickly then. But it was a while ago and I can't recall any details of the incident. Has anyone else ever seen CF do this before? Any thoughts on what might cause it?
I would be sure that you are not caching the ajax pages, also there could be an extra hash somewhere like on a color ##ffffff for example and certain browser standards are allowing it while it crashed and shows # in others, I would also check your markup for any extra tags, especially closing ones. I have seen this with dialog before. I would love to see code on this if you have it.

How to encourage non-anonymous editing on MediaWiki?

Problem
At work we have a department wiki (running Mediawiki). Unfortunately several
persons edit without logging in, and that makes it very difficult to track
down editors to ask questions about the content.
There are two strategies to improve this
encourage logged in editing
discourage anonymous editing.
Encouraging
For this part, any tips are welcome. But of course there is always risks involved
in rewarding behaviours.
Discourage
I know that this must be kept low or else it will discourage any editing.
But something just slightly annoying would be nice to have.
[update]
I know it is possible to just disallow anonymous editing, but that will put a high barrier to any first time contribution (especially for people outside our department!), so I do not think that is an option.
[/update]
[update2]
Using LDAP or Active Directory does not solve the problem since the wiki is also accessible and used by external contractors.
[/update2]
[update3]
I am no longer working for this company. That does not mean that I completely have lost interest in this question, but from my current interest point the most valuable part is the "Did you forget to log in?" part below, and I will accept answers based on this part of the question.
[/update3]
Confirmation
One thought was to have an additional confirmation step for anonymous users -
"Are you really sure you want to submit this anonymously?", although with
such a question there is a risk that people will give up or resist editing. However,
if that question is re-phrased in a more diplomatic way as "Did you forget
to log in?" I think it will appear as much more acceptable. And besides that
will also capture those situations where the author did in fact forget to
log in, but actually would want to have his/her contributions credited
his/her user. This last point is by itself a good enough reason for wanting it.
Is this possible?
Delay
Another thought for something to be slightly annoying is to add an extra
forced delay after "save page" displaying something like "If you had logged
in you would not have to wait x seconds". Selecting a right x is difficult
because if it is to high it will be a barrier and if it too low might not
make any difference. But then I started thinking, what about starting at
zero and then add one second delay for each anonymous edit by a given IP
address in a given time frame? That way there will be no barrier for
starting to use the wiki, and by the time the delay is getting significant
the user has already contributed a lot so I think the outcome is much
more likely to be that the editor eventually creates a user rather than
giving up. This assumes IP addresses are rather static, but that is very
typically is the case in a business network.
Is this possible?
You can Turn off Anonymous Editing in Mediawiki like so:
Edit LocalSettings.php and add the following setting:
$wgDisableAnonEdit = true;
Edit includes/SkinTemplate.php, find $fname-edit and change the code to look like this (i.e., basically wrap the following code between the wfProfileIn() and wfProfileOut() functions):
wfProfileIn( "$fname-edit" );
global $wgDisableAnonEdit;
if ( $wgUser->mId || !$wgDisableAnonEdit) {
// Leave this as is
}
wfProfileOut( "$fname-edit" );
Next, you may want to disable the [Edit] links on sections. To do this, open includes/Skin.php and search for editsection. You will see something like:
if (!$wgUser->getOption( 'editsection' ) ) {
Change that to:
global $wgDisableAnonEdit;
if (!$wgUser->getOption( 'editsection' ) || !$wgDisableAnonEdit ) {
Section editing is now blocked for anonymous users.
Forbid anonymous editing and let people log in using their domain logins (LDAP). Often the threshold is the registering of a new user and making up username and password and such.
I think you should discourage anonymous edits by forbidding them - it's an internal wiki, after all.
The flipside is you must make the login process as easy as possible. Hopefully you can configure the login cookie to have a decent length (like 1 month) so they only need to login once per month.
Play to the people's egos, and add a rep system kind of like here. Just make a widget for the home page that shows the number of edits made by the top 5 users or something. Give the top 1 or 2 users a MVP reward at regular (monthly?) intervals.
Well, I doubt that this solution will be valuable for hlovdal, given that this question is now two months old, but maybe somebody else will find it useful:
The optimum solution to this problem is to enable automatic logins. This requires two steps. First, you need to add automatic authentication to your web service. Right now, we're using Apache with the Debian usn-libapache2-authenntlm-perl package on our internal application server*. (Our network is Active Directory and, obviously, the server runs on Debian Linux.) Second, you need a MediaWiki extension that makes MediaWiki aware of the web service's authentication. I've used the Automatic REMOTE_USER Authentication module successfully on an Apache web server that was tied into our network via an NTLM authentication module, but I do recall that it required a bit of massaging the code to make it work:
I had to follow the "horrid hacks" given on the extension's page, changing the setPassword() and addUser() functions to always return true instead of always returning false.
Since Active Directory is case-insensitive and MediaWiki isn't, I replaced both instances of the statement $username = $_SERVER['REMOTE_USER'] with $username = getCanonicalName($_SERVER['REMOTE_USER']).
Since I wanted to only allow certain people within the company to use our wiki, I set autoCreate() to always return false. It doesn't sound as if you need to worry about this, so you should leave autoCreate() at always returning true, which means that anybody on your company network will be able to access the wiki.
The nifty thing about this solution is that nobody has to log in into the wiki, ever; they simply go to a wiki page and they are logged in under their network ID.
* We just switched to this from a Red Hat server that was using mod_ntlm. Unfortunately, mod_ntlm hasn't been updated in a while and it's been starting to sporadically fail. I mention this because I've started to stumble on a performance issue with our current MediaWiki configuration that may require further code massaging....
Make sure users don't get logged out if they look away from the screen or sneeze or scratch their head. You want long, persistent, sessions. Once logged in, stay logged in.
That's the problem with the MediaWiki our company is using internally - you log in, do stuff, then come back later and it logged you out, but the notification of not being logged in anymore is so insignificant on the screen that the user never notices.
If this runs within an internal network, you could pull Active Directory information so that no one has to log in, ever. That's how I do it at work. That is, if they are logged into their windows machine, then my webapps can pick up their username and associate that (or their userid) with their edits.
I don't know if this would be easy to add to MediaWiki, though.
I'd recommend checking out wikipatterns.org - a great site about the social aspects of wikis
Explicitly using some form of directory service (LDAP) would probably be a good idea, so that your users are always fully identified. On the other hand, wikis are subject to their own dynamics, in fact some wikis are so successful because they can be anonymously edited, so that's another thing to keep in mind.
Apart from that, personally I'd try to create some sort of incentive for users to contribute openly and identifiable: this could be based on a point/score system so that there are stats shown for all users who have contributed to the wiki each day, this could possibly even create some sort of competition.
Likewise, the wiki could by default not show any anonymously contributed contents without them being reviewed first, which would be another incentive for users to contribute openly.
SO has an extremely low barrier for posting. You could allow people to specify their name when making an edit. When they are ready, they can finally log in to avoid having to type their name all the time.
You said this is in a departmental situation. Can't you add a feature to the wiki where it makes an educated guess as to who is editing based on the IP address, and annotates the edit accordingly?
I agree absolutely with everyone who recommends carefully researching the effects of anonymity in your application before you start "forbidding" it. In a great many cases people prefer anonymous editing because they DO NOT WANT TO BE ASKED ABOUT IT, IDENTIFIED WITH IT, OR SUFFER SOME PROBLEM FOR POINTING IT OUT. You need to be VERY sure these factors are not driving users to prefer anonymous edits, and frankly you should continue to allow anonymized edits with a generic credential login like "anonymous_employee" or "anonymous_contractor", in case someone wants to point out an issue without becoming identified with it.
Re the "thought... to have an additional confirmation step for anonymous users- "Are you really sure you want to submit this anonymously?", it's a good idea, but do not "re-phrase" in a way that suggests it is wrong to not be logged in as yourself, i.e. don't say "Did you forget to log in?" I'd instead note it this way:
"Your edit will appear as an IP number - it may be attributed to 'anonymous_employee' or 'anonymous_contractor' or 'anonymous_contributor' for your privacy protection. You will not be notified of any answer or response to it. If you prefer to have this contribution credited, then [log in right now]."
That leaves it absolutely clear what will happen, doesn't pressure anyone to do it either way, and does not bias what is being contributed with some "rewards".
You can also, alternately, force a login via LDAP / cookies, and then ask them if they prefer this edit to be anonymous. That is the approach taken on some blog platforms. In an intranet the abuse potential for this is basically zero, so you would presumably only have situations where someone didn't want 'how they knew' or 'why they raised this' to be the question rather than the data itself... IBM has shown in some careful research that anonymized feedback is very much more useful than attributed in correcting groupthink & management blind sides.