Draft: manually control blocking before cookie consent + preconnect to third-party scripts

Megan Filorequested to merge
spike-manual-auto-block-consent into main

1. Change Summary

Closes #1510

This MR achieves the following:

  • Preconnects third-party scripts
  • Removes OneTrust's own Auto Block feature for third-party scripts. We will now handle this ourselves.

How it works

  • OneTrust scripts load. Our third-party marketing scripts preconnect, but do not appear in the DOM. (GTM will still load)
  • If cookies are auto-allowed or the user clicks on their region-specific prompt to allow cookies, the appropriate OneTrust consent groups (0001, 0002, 0003, 0004) will fire. That change in consent will download and execute any of the scripts within that group.
  • If rejected, the applicable scripts are not downloaded or fired

Caveats

  • Preconnects can be useless for some users (see note on preconnect diff)
  • If we add any new (or delete any) third-party scripts, DEX is responsible for updating the file to wire up with OneTrust

Testing

Performance gains were analyzed with Claude using the Export json feature in DebugBear. Results are here. The Review App is as close to a Production environment as I can get it but it will never be exact.

Enjoy the bottom half of my face.

2. QA Checklist

  • Code Cleanup: Any messages, linter warnings, and/or deprecation warnings are cleaned up in the console
  • Tech Debt: I have created, or documented, any fast follow-up work that needs to be done after this MR is merged
  • Efficient Code Review: I have tested and reviewed my own changes thoroughly before assigning a reviewer
  • Cross-browser compatibility: Works on Safari, Chrome, and Firefox
  • Analytics and SEO: Compatible with Google Analytics and SEO tools
  • Localization checked for regressions

Review App

Production Review app
https://about.gitlab.com/ https://spike-manual-auto-block-consent.about.gitlab-review.app/

3. Deployment Steps

  • Follow comment steps in the onetrust-scripts.ts file (turn off OneTrust in development environments)
  • Revert change (Version 579 - OneTrust TEST) in GTM that allowed for review app testing DONE
  • OneTrust: Delete test site
  • Inform Legal
  • Run Debugbear scan in production once deployment finishes
  • Set reminder to re-run to check CrUX scores in 28 days

Revert Steps

  • Revert MR
  • Inform Legal/stakeholders
Edited by Megan Filo

Merge request reports