Add GDPR-compliant cookie consent with analytics blocking

[Copilot]

Implements cookie consent using vanilla-cookieconsent v3 to comply with GDPR requirements. Analytics scripts are blocked until user consent is obtained.

Changes

Library Integration

• Added [email protected] to _config.yml third-party libraries with SRI hashes
• Created _scripts/cookie-consent-setup.js with consent modal and settings configuration
• Added CSS/JS includes in _includes/head.liquid and _includes/scripts.liquid

Analytics Blocking

• Modified analytics scripts in scripts.liquid and distill_scripts.liquid to use conditional type="text/plain" data-category="analytics" when consent is disabled
• Blocks Google Analytics, Cronitor, Pirsch, and OpenPanel until consent granted
• Library automatically converts blocked scripts to executable on user acceptance

Configuration

• Added enable_cookie_consent flag (default: false)
• Cookie categories: necessary (always on), analytics (optional)
• 182-day cookie expiration, auto-clear on rejection

Implementation

{% if site.enable_cookie_consent %}
  <script type="text/plain" data-category="analytics" async src="...gtag.js"></script>
{% else %}
  <script async src="...gtag.js"></script>
{% endif %}

Enable in _config.yml:

enable_cookie_consent: true

Screenshots

Consent Modal

Settings Modal

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• cdn.jsdelivr.net
  • Triggering command: /usr/bin/curl curl -s REDACTED (dns block)
• cookieconsent.orestbida.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• medium.com
  • Triggering command: /usr/local/bin/ruby ruby /usr/local/bundle/bin/bundle exec jekyll serve --watch --port=8080 --host=0.0.0.0 --livereload --verbose --trace --force_polling s 6_64-linux /etc/locale.gen by/backward -binutils_2.44-3grep .deb eb /systemd-sysctl (dns block)
• publish.twitter.com
  • Triggering command: /usr/local/bin/ruby ruby /usr/local/bundle/bin/bundle exec jekyll serve --watch --port=8080 --host=0.0.0.0 --livereload --verbose --trace --force_polling lude�� lude/ruby-4.0.0//run/containerd/io.containerd.runtime.v2.task/moby/a4760212ce4eda97e32b6dfa4d3ea/usr/sbin/iptables r/runc-log.json f8_range lude r-strong E r/wc7in709a54d7hshow (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>GDPR compliant cookie consent dialog</issue_title>
<issue_description>Hi,

since I am from Europe and want my site to be accessed by EU citizens I need to ask users if they are ok with the use of cookies. Adding a dialogue by default that that asks the user before any cookies / localStorage are used would be nice.

I have integrated the dialog from https://www.cookieconsent.com/ on my website and am happy to file a PR if you are interested. However It is not shown directly at the top, but below the menu bar for some reason. Not sure how to fix that.
</issue_description>

<agent_instructions>Implement this using cookie consent dialog from https://github.com/orestbida/cookieconsent. The documentation is available at https://cookieconsent.orestbida.com/essential/getting-started.html.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@alshedivat @hschwane, thanks for pointing this out. It's would be great if you could send a PR.

To answer your question about positioning, the menu bar has the absolute position at the top of the page and keeps moving with scrolling. You can change that behavior in _config.yml by setting navbar_fixed: false (see line 27). If you send a PR with basic functionality, I can help with adjusting the styles a bit. Thanks!</comment_new>
<comment_new>@alshedivat
Just catching up on this discussion.

@hschwane, thanks for providing an implementation based on ihavecookies! I looked through #223. It seems like to be able to correctly (un)block different types of cookies (all of which are third-party cookies) requires adding quite a bit of extra JavaScript (including adding it directly to posts or pages in some cases, e.g., when posts embed youtube videos or other external content). This approach will put some extra burden on contributors and maintainers of al-folio down the line.

By the way, the dialog from https://www.cookieconsent.com/ is similar in that sense as it requires to manually add ALL scripts that use cookies. So, if someone contributes a new feature to al-folio that uses cookies, the contributor would have to go and update the cookie consent dialog as well (or edit quite a bit of JS if ihavecookies is used).

Thinking about this more, I currently see only three options:

1. If we want to have cookie consent as a core part of al-folio (which can be easily enabled or disabled), it needs to be a service that automatically identifies and blocks cookies, without putting an extra burden on the contributors or maintainers. The hosted version of Cookie Consent by Osano is an example.
2. Another option is to provide a very minimalistic cookie consent dialog which simply says that the website uses cookies, without an option to opt-in or opt-out (e.g., see the open-source edition of Osano).
3. Finally, not have cookie consent as part of al-folio, and make the user responsible for figuring out whether they need a consent dialog and which service to use.

Let me know what you think.</comment_new>
<comment_new>@alshedivat
the best way to add GDPR compliant cookie consent is using https://github.com/orestbida/cookieconsent</comment_new>

Custom agent used: customization_agent
Expert customization assistant for the al-folio Jekyll academic website template

• Fixes GDPR compliant cookie consent dialog #199

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[netlify]

❌ Deploy Preview for relaxed-lollipop-b6bc17 failed. Why did it fail? →

Name	Link
🔨 Latest commit	8e7a60d
🔍 Latest deploy log	https://app.netlify.com/projects/relaxed-lollipop-b6bc17/deploys/697f8f07bf97c400085e536f

[github-actions]

Failed prettier code check. Check this file for more information.

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[Copilot]

Pull request overview

This PR implements GDPR-compliant cookie consent functionality using the vanilla-cookieconsent library (v3). The implementation blocks all analytics scripts until users explicitly grant consent, ensuring compliance with European privacy regulations.

Changes:

• Adds vanilla-cookieconsent library integration with modal UI for user consent management
• Implements conditional script blocking for Google Analytics, Cronitor, Pirsch, and OpenPanel using type="text/plain" data-category="analytics" pattern
• Integrates Google Consent Mode v2 to signal privacy preferences to Google services before user consent
• Adds dark mode support for cookie consent modal that syncs with site theme

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
_config.yml	Adds library configuration with CDN URLs/integrity hashes and enable_cookie_consent feature flag
_scripts/cookie-consent-setup.js	Implements consent modal configuration, Google Consent Mode initialization, and consent callbacks
_includes/scripts.liquid	Conditionally blocks analytics scripts with type="text/plain" data-category="analytics" when consent is enabled
_includes/distill_scripts.liquid	Mirrors analytics blocking implementation for Distill layout pages
_includes/head.liquid	Loads cookie consent CSS library with integrity verification
assets/js/theme.js	Adds setCookieConsentTheme() function to sync modal appearance with site dark mode

[george-gca]

I am not sure the current solution is enough to guarantee that no tracking is being made if not given consent. It would be useful for someone with experience on that to give feedback.