Skip to content

Updated CPM settings view behind feature flag#9102

Open
sammacbeth wants to merge 6 commits into
duckduckgo:developfrom
sammacbeth:sam/cpm-settings-toggle
Open

Updated CPM settings view behind feature flag#9102
sammacbeth wants to merge 6 commits into
duckduckgo:developfrom
sammacbeth:sam/cpm-settings-toggle

Conversation

@sammacbeth

@sammacbeth sammacbeth commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Task/Issue URL: https://app.asana.com/1/137249556945/task/1214148192222353
Tech Design URL (if applicable):

Description

Adds a new UI for the CPM settings page, behind the cookiePopupPreferenceSetting feature flag.

This UI provides a new option, that will also click 'accept' buttons when no 'reject' or similar button is in the popup, and also no settings button exists.

Steps to test this PR

  1. Enable the cookiePopupPreferenceSetting feature flag.
  2. In CPM settings you should see the new options:
  3. On https://privacy-test-pages.site/features/autoconsent/heuristic.html the reject button should be clicked as usual.
  4. On about.me the 'ok' popup should now be handled.
  5. On https://colemanfurniture.com/ the 'accept' button is only clicked when the 'Reject, hide or Accept' setting is selected.

Feature 1

  • [ ]
  • [ ]

UI changes

Before After
Screenshot 2026-07-03 at 15 33 57 Screenshot 2026-07-03 at 15 34 45

Note

Medium Risk
Changes in-page consent automation (including optional accept clicks at MAX) and persistence migration; misconfiguration could affect privacy expectations on real sites until the flag is validated.

Overview
Introduces a Cookie Pop-up Preference model (OFF, DEFAULT, MAX) with API and persisted storage (including migration from the legacy on/off toggle), gated by remote flag cookiePopUpPreferenceSetting.

When the flag is on, the CPM settings screen swaps the single toggle for Auto-Manage Cookie Pop-Ups and Pop-Ups Without Opt-Outs, which map to DEFAULT and MAX. Init handling now derives enablement and JS config from the preference instead of only userSetting.

The embedded autoconsent bundle is updated: enableHeuristicAction becomes heuristicMode (off / reject / tier1 / tier2) so heuristics can click reject-only, acknowledge/dismiss, or accept when no opt-out exists. Consentomatic rules are dropped from the Android userscript bootstrap.

Reviewed by Cursor Bugbot for commit 4a39d83. Bugbot is set up for automated code reviews on this repo. Configure here.

sammacbeth and others added 4 commits June 25, 2026 13:57
Avoid persisting the migrated preference before remote config loads so invalidateCache can apply onByDefault correctly.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sammacbeth sammacbeth marked this pull request as ready for review July 6, 2026 09:45

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 4a39d83. Configure here.

override fun getCookiePopUpPreference(): CookiePopUpPreference {
return settingsRepository.cookiePopUpPreference
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enabled state ignores cookie preference

High Severity

With the new settings UI, changeCookiePopUpPreference only persists cookiePopUpPreference, while isSettingEnabled() and isAutoconsentEnabled() still read the legacy userSetting flag. Enabling auto-manage when legacy storage is false leaves isAutoconsentEnabled() false, so injectAutoconsent skips injecting the autoconsent script and cookie pop-up handling never runs despite the user turning protection on.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 4a39d83. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant