Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(browser-matrix): Tracking-Signal statt Cookie-Rohzahl + Matrix-Schnellpfad

Browse Source 
Korrektheit (§ 25 TDDDG): "Cookies vor Consent" ist KEIN Verstoss per se —
technisch notwendige Cookies inkl. des Consent-Cookies (speichert die
Ablehnung) sind nach Abs. 2 erlaubt. Verstoss ist nur nicht-essentielles
TRACKING vor Consent.
- browser_cross_finding: Befund haengt jetzt an violations.before_consent
  (Tracking), nicht an der Cookie-Rohzahl; § 25 Abs. 2-Hinweis im Detail.
  Regressionstest: Cookies-ohne-Tracking → KEIN Befund.
- multi_browser_scanner._extract_dimensions: Score nutzt Tracking-Violations
  + reject_respected-Verdikt statt Rohzahl (Fallback erhalten).
- BrowserBehaviorView: "Cookies vor Consent" nur rot/⚠ bei Tracking,
  "nach Ablehnen" neutral (Verdikt = reject-Spalte); erklaerende Zeile.

Speed: run_consent_test ueberspringt im Matrix-Modus (browser_profile gesetzt)
die teuren Phasen C/D-F/G — nur A+B noetig. Verhindert das 504 beim
Multi-Engine-Scan (BMW 4 Engines lief sonst in den 338s-Gateway-Timeout).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-13 00:10:41 +02:00
parent fa8ad030cb
commit 3f90e40807
5 changed files with 99 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/tests/test_browser_cross_finding.py
+25 -10
View File
@@ -8,7 +8,7 @@ from compliance.services.browser_cross_finding import build_cross_findings
def _row(pid, label, engine, *, before=0, reject_ok=True,
impressum=True, dse=True, with_summary=True):
impressum=True, dse=True, with_summary=True, track_before=0):
if not with_summary:
return {"profile_id": pid, "label": label, "engine": engine,
"summary": None, "error": "launch failed"}
@@ -19,6 +19,9 @@ def _row(pid, label, engine, *, before=0, reject_ok=True,
"cookies_after_reject": 0 if reject_ok else 2,
"reject_respected": reject_ok,
"surface": {"has_impressum_link": impressum, "has_dse_link": dse},
# before_consent = nicht-essentielles Tracking vor Consent (das
# rechtlich relevante Signal, NICHT die Cookie-Rohzahl `before`).
"violations": {"before_consent": track_before},
},
}
@@ -32,22 +35,34 @@ def test_empty_matrix():
assert build_cross_findings({"browser_matrix": []}) == []
def test_pre_consent_in_all_engines_high():
def test_tracking_before_consent_in_all_engines_high():
# Nicht-essentielles Tracking vor Consent (track_before>0) in allen Engines.
m = {"browser_matrix": [
_row("chromium-headed-de", "Chromium", "blink", before=5),
_row("firefox-headed-de", "Firefox", "gecko", before=3),
_row("chromium-headed-de", "Chromium", "blink", before=5, track_before=2),
_row("firefox-headed-de", "Firefox", "gecko", before=3, track_before=1),
]}
f = build_cross_findings(m)
hit = [x for x in f if "in allen Browsern" in x["title"]]
hit = [x for x in f if "Tracking vor der Einwilligung — in allen" in x["title"]]
assert hit and hit[0]["severity"] == "HIGH"
assert "TDDDG" in hit[0]["measure"]
assert "§ 25 Abs. 2" in hit[0]["detail"] # essentielle Cookies ausgenommen
def test_pre_consent_inconsistent_flags_browser_protection():
# Chrome (nachgiebig) setzt vor Consent, Safari/WebKit (ITP) nicht.
def test_cookies_before_consent_without_tracking_is_no_finding():
# KERN-REGRESSION (User-Frage): Cookies vor Consent vorhanden, aber KEIN
# Tracking (z.B. nur das Consent-Cookie selbst) → KEIN Verstoß-Befund.
m = {"browser_matrix": [
_row("chrome-channel-desktop-de", "Chrome", "blink", before=4),
_row("webkit-headed-de", "Safari/WebKit", "webkit", before=0),
_row("chromium-headed-de", "Chromium", "blink", before=5, track_before=0),
_row("firefox-headed-de", "Firefox", "gecko", before=4, track_before=0),
]}
f = build_cross_findings(m)
assert [x for x in f if "Tracking vor" in x["title"]] == []
def test_tracking_before_consent_inconsistent_flags_browser_protection():
# Chrome (nachgiebig) lässt Tracker vor Consent, Safari/WebKit (ITP) nicht.
m = {"browser_matrix": [
_row("chrome-channel-desktop-de", "Chrome", "blink", before=4, track_before=3),
_row("webkit-headed-de", "Safari/WebKit", "webkit", before=0, track_before=0),
]}
f = build_cross_findings(m)
hit = [x for x in f if "nur in manchen" in x["title"]]