Add Permissions-Policy header to respect user privacy

Author: core23

README.md

@@ -38,7 +38,7 @@ return [
 ### Block cookies
 
 By default all cookies are kept, also the cookie consent was not set.
-To block all (symfony) cookies, you can set the following config.
+To block all domain cookies, you can set the following config.
 
 ```yaml
 # config/packages/nucleos_gdpr.yaml
@@ -59,6 +59,20 @@ nucleos_gdpr:
           - ADMIN_.*
 ```
 
+
+### Google FLoC (Federated Learning of Cohorts)
+
+By default a `Permissions-Policy` header is added to every response to respect user privacy. You can enable Google FLoC tracking via the following configuration:
+
+```yaml
+# config/packages/nucleos_gdpr.yaml
+
+nucleos_gdpr:
+    privacy:
+        google_floc: true
+```
+
+
 ### Assets
 
 It is recommended to use [webpack](https://webpack.js.org/) / [webpack-encore](https://github.com/symfony/webpack-encore)

src/DependencyInjection/Configuration.php

@@ -19,12 +19,13 @@
 
 final class Configuration implements ConfigurationInterface
 {
-    public function getConfigTreeBuilder()
+    public function getConfigTreeBuilder(): TreeBuilder
     {
         $treeBuilder = new TreeBuilder('nucleos_gdpr');
 
         $rootNode = $treeBuilder->getRootNode();
         $rootNode->append($this->getBlockCookiesNode());
+        $rootNode->append($this->getPrivacyNode());
 
         return $treeBuilder;
     }
@@ -44,4 +45,18 @@ private function getBlockCookiesNode(): NodeDefinition
 
         return $node;
     }
+
+    private function getPrivacyNode(): NodeDefinition
+    {
+        $node = (new TreeBuilder('privacy'))->getRootNode();
+
+        $node
+            ->addDefaultsIfNotSet()
+            ->children()
+                ->booleanNode('google_floc')->defaultFalse()->end()
+            ->end()
+        ;
+
+        return $node;
+    }
 }

src/DependencyInjection/NucleosGDPRExtension.php

@@ -31,13 +31,11 @@ public function load(array $configs, ContainerBuilder $container): void
 
         $loader = new Loader\PhpFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
         $loader->load('block.php');
+        $loader->load('listener.php');
 
-        if (isset($config['block_cookies'])) {
-            $loader->load('listener.php');
-
-            $container->getDefinition(KernelEventSubscriber::class)
-                ->replaceArgument(0, $config['block_cookies']['keep'])
-            ;
-        }
+        $container->getDefinition(KernelEventSubscriber::class)
+            ->replaceArgument(0, isset($config['block_cookies']) ? $config['block_cookies']['keep'] : null)
+            ->replaceArgument(1, $config['privacy']['google_floc'])
+        ;
     }
 }

src/EventListener/KernelEventSubscriber.php

@@ -20,27 +20,43 @@
 final class KernelEventSubscriber implements EventSubscriberInterface
 {
     /**
-     * @var string[]
+     * @var string[]|null
      */
     private $whitelist;
 
+    /**
+     * @var bool
+     */
+    private $googleFLOC;
+
     /**
      * @param string[] $whitelist
      */
-    public function __construct(array $whitelist = [])
+    public function __construct(?array $whitelist = [], bool $googleFLOC = false)
     {
-        $this->whitelist = $whitelist;
+        $this->whitelist  = $whitelist;
+        $this->googleFLOC = $googleFLOC;
     }
 
     public static function getSubscribedEvents(): array
     {
         return [
-            KernelEvents::RESPONSE => 'cleanCookies',
+            KernelEvents::RESPONSE => [
+                ['cleanCookies', 0],
+                ['addFLoCPolicy', 0],
+            ],
         ];
     }
 
+    /**
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
+     */
     public function cleanCookies(ResponseEvent $event): void
     {
+        if (null === $this->whitelist) {
+            return;
+        }
+
         $headers = $event->getResponse()->headers;
         $cookies = $headers->getCookies();
 
@@ -57,6 +73,16 @@ public function cleanCookies(ResponseEvent $event): void
         }
     }
 
+    public function addFLoCPolicy(ResponseEvent $event): void
+    {
+        if (true === $this->googleFLOC) {
+            return;
+        }
+
+        $response = $event->getResponse();
+        $response->headers->set('Permissions-Policy', 'interest-cohort=()');
+    }
+
     /**
      * @param Cookie[] $cookies
      */
@@ -71,8 +97,15 @@ private function hasCookieConsent(array $cookies): bool
         return false;
     }
 
+    /**
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
+     */
     private function isWhitelisted(Cookie $cookie): bool
     {
+        if (null === $this->whitelist) {
+            return true;
+        }
+
         foreach ($this->whitelist as $name) {
             if ($cookie->getName() === $name || 1 === preg_match('#'.$name.'#', $cookie->getName())) {
                 return true;

src/Resources/config/listener.php

@@ -19,7 +19,8 @@
         ->set(KernelEventSubscriber::class)
             ->tag('kernel.event_subscriber')
             ->args([
-                [],
+                null,
+                false,
             ])
 
     ;

tests/DependencyInjection/ConfigurationTest.php

@@ -24,6 +24,28 @@ public function testDefaultOptions(): void
         $config = $processor->processConfiguration(new Configuration(), []);
 
         $expected = [
+            'privacy' => [
+                'google_floc' => false,
+            ],
+        ];
+
+        static::assertSame($expected, $config);
+    }
+
+    public function testEnabledGoogleFLoC(): void
+    {
+        $processor = new Processor();
+
+        $config = $processor->processConfiguration(new Configuration(), [[
+            'privacy' => [
+                'google_floc' => true,
+            ],
+        ]]);
+
+        $expected = [
+            'privacy' => [
+                'google_floc' => true,
+            ],
         ];
 
         static::assertSame($expected, $config);
@@ -41,6 +63,9 @@ public function testBlockedCookieEnabled(): void
             'block_cookies' => [
                 'keep'      => ['PHPSESSID'],
             ],
+            'privacy' => [
+                'google_floc' => false,
+            ],
         ];
 
         static::assertSame($expected, $config);
@@ -60,6 +85,9 @@ public function testBlockedCookieOptions(): void
             'block_cookies' => [
                 'keep'      => ['SOMEKEY', 'OTHERKEY'],
             ],
+            'privacy' => [
+                'google_floc' => false,
+            ],
         ];
 
         static::assertSame($expected, $config);

tests/DependencyInjection/NucleosGDPRExtensionTest.php

@@ -24,7 +24,10 @@ public function testLoadDefault(): void
         $this->load();
 
         $this->assertContainerBuilderHasService('nucleos_gdpr.block.information');
-        $this->assertContainerBuilderNotHasService(KernelEventSubscriber::class);
+        $this->assertContainerBuilderHasService(KernelEventSubscriber::class);
+
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument(KernelEventSubscriber::class, 0, null);
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument(KernelEventSubscriber::class, 1, false);
     }
 
     public function testLoadWithCookieBlock(): void
@@ -33,13 +36,22 @@ public function testLoadWithCookieBlock(): void
             'block_cookies' => null,
         ]);
 
-        $this->assertContainerBuilderHasService(KernelEventSubscriber::class);
-
         $this->assertContainerBuilderHasServiceDefinitionWithArgument(KernelEventSubscriber::class, 0, [
             'PHPSESSID',
         ]);
     }
 
+    public function testLoadWithGoogleFLoC(): void
+    {
+        $this->load([
+            'privacy' => [
+                'google_floc' => true,
+            ],
+        ]);
+
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument(KernelEventSubscriber::class, 1, true);
+    }
+
     protected function getContainerExtensions(): array
     {
         return [

tests/EventListener/KernelEventSubscriberTest.php

@@ -27,17 +27,29 @@ final class KernelEventSubscriberTest extends TestCase
     private const KEEP_REGEX          = 'ADMIN_.*';
     private const KEEP_REGED_EXAMPLE  = 'ADMIN_TEST';
 
-    /**
-     * @var KernelEventSubscriber
-     */
-    private $subscriber;
-
-    protected function setUp(): void
+    public function testCleanCookiesWithDisabledOption(): void
     {
-        $this->subscriber = new KernelEventSubscriber([
-            self::KEEP_COOKIE_NAME,
-            self::KEEP_REGEX,
-        ]);
+        $response = new Response();
+        $response->headers->setCookie(Cookie::create(self::SOME_COOKIE_NAME));
+        $response->headers->setCookie(Cookie::create(self::KEEP_COOKIE_NAME));
+        $response->headers->setCookie(Cookie::create(self::KEEP_REGED_EXAMPLE));
+        $response->headers->setCookie(Cookie::create(GDPRInformationBlockService::COOKIE_NAME));
+
+        $event = new ResponseEvent(
+            $this->createStub(HttpKernelInterface::class),
+            $this->createStub(Request::class),
+            0,
+            $response
+        );
+
+        $subscriber = new KernelEventSubscriber(null);
+        $subscriber->cleanCookies($event);
+
+        static::assertCount(4, $response->headers->getCookies());
+        $this->assertHasCookie(self::SOME_COOKIE_NAME, $response);
+        $this->assertHasCookie(self::KEEP_COOKIE_NAME, $response);
+        $this->assertHasCookie(self::KEEP_REGED_EXAMPLE, $response);
+        $this->assertHasCookie(GDPRInformationBlockService::COOKIE_NAME, $response);
     }
 
     public function testCleanCookiesWithConsent(): void
@@ -55,7 +67,11 @@ public function testCleanCookiesWithConsent(): void
             $response
         );
 
-        $this->subscriber->cleanCookies($event);
+        $subscriber = new KernelEventSubscriber([
+            self::KEEP_COOKIE_NAME,
+            self::KEEP_REGEX,
+        ]);
+        $subscriber->cleanCookies($event);
 
         static::assertCount(4, $response->headers->getCookies());
         $this->assertHasCookie(self::SOME_COOKIE_NAME, $response);
@@ -78,13 +94,52 @@ public function testCleanCookiesWithNoConsent(): void
             $response
         );
 
-        $this->subscriber->cleanCookies($event);
+        $subscriber = new KernelEventSubscriber([
+            self::KEEP_COOKIE_NAME,
+            self::KEEP_REGEX,
+        ]);
+        $subscriber->cleanCookies($event);
 
         static::assertCount(2, $response->headers->getCookies());
         $this->assertHasCookie(self::KEEP_COOKIE_NAME, $response);
         $this->assertHasCookie(self::KEEP_REGED_EXAMPLE, $response);
     }
 
+    public function testAddFLoCPolicy(): void
+    {
+        $response = new Response();
+
+        $event = new ResponseEvent(
+            $this->createStub(HttpKernelInterface::class),
+            $this->createStub(Request::class),
+            0,
+            $response
+        );
+
+        $subscriber = new KernelEventSubscriber(null, false);
+        $subscriber->addFLoCPolicy($event);
+
+        static::assertTrue($response->headers->has('Permissions-Policy'));
+        static::assertSame('interest-cohort=()', $response->headers->get('Permissions-Policy'));
+    }
+
+    public function testAddFLoCPolicyWithDisabledOption(): void
+    {
+        $response = new Response();
+
+        $event = new ResponseEvent(
+            $this->createStub(HttpKernelInterface::class),
+            $this->createStub(Request::class),
+            0,
+            $response
+        );
+
+        $subscriber = new KernelEventSubscriber(null, true);
+        $subscriber->addFLoCPolicy($event);
+
+        static::assertFalse($response->headers->has('Permissions-Policy'));
+    }
+
     private function assertHasCookie(string $cookieName, Response $response): void
     {
         static::assertCount(1, array_filter($response->headers->getCookies(), static function (Cookie $cookie) use ($cookieName): bool {