Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(banner): Consent-Historie/Widerruf live erkennen (Borlabs-Stil, #62)

Browse Source 
consent_history.detect_consent_history: erkennt CMP-Anbieter (Borlabs/
Usercentrics/OneTrust/Cookiebot/…) aus Storage+Cookies, versionierten Consent
(historie-fähig) + dauerhaftes Widerruf-/Einstellungs-Widget. consent_scanner
ruft es in Phase A; scan_matrix_summary surft summary.consent_history;
browser_cross_finding: positiver Befund wenn vorhanden, sonst Best-Practice-LOW
(„Nutzer sehen, wann sie welcher Version zugestimmt haben"); BrowserBehaviorView
zeigt es im Engine-Detail. Tests: 7 (classify/versioned) + 2 Cross-Finding.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-13 16:38:38 +02:00
parent 8d0da710d5
commit d92dd3b5fc
7 changed files with 208 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
consent-tester/services/consent_history.py
+95
View File
@@ -0,0 +1,95 @@
"""Consent-Historie-/Widerruf-Erkennung (Borlabs-Stil) während des Scans.
Erkennt, ob die Site ihre Einwilligung versioniert speichert (Borlabs hält die
zugestimmte Version + Zeitstempel → Nutzer kann nachvollziehen, welcher Version
er wann zugestimmt hat) und ob ein dauerhaftes Widerruf-/„Cookie-Einstellungen"-
Widget angeboten wird. Reine Klassifikation (`classify_provider`) ist ohne
Browser unit-testbar; `detect_consent_history` kapselt das Playwright-IO.
"""
from __future__ import annotations
from typing import Any, Optional
# Signatur-Fragmente in Storage-Keys/Cookie-Namen → CMP-Anbieter.
_PROVIDERS = [
("Borlabs", ["borlabs-cookie", "borlabscookie", "borlabs"]),
("Usercentrics", ["uc_settings", "uc_user_interaction", "usercentrics"]),
("OneTrust", ["optanonconsent", "optanonalertbox", "onetrust"]),
("Cookiebot", ["cookieconsent", "cookiebot"]),
("Complianz", ["cmplz_", "complianz"]),
("Cookie-Script", ["cookiescriptconsent"]),
]
# Wer trägt von Haus aus eine versionierte Consent-Historie (Capability).
_HISTORY_CAPABLE = {"Borlabs", "Usercentrics", "OneTrust", "Cookiebot"}
# Selektoren für ein dauerhaftes Widerruf-/Einstellungs-Widget.
_WITHDRAW_SELECTOR = (
'a:has-text("Cookie-Einstellungen"), button:has-text("Cookie-Einstellungen"), '
'a:has-text("Einwilligung"), button:has-text("Einwilligung"), '
'a:has-text("Cookie Settings"), button:has-text("Cookie Settings"), '
'a:has-text("Consent"), button:has-text("Consent"), '
'[id*="borlabs-cookie"], [class*="borlabs-cookie"], #BorlabsCookieBox, '
'[class*="cookie-preference"], [class*="cmplz-manage"]'
)
def classify_provider(names: list[str]) -> str:
"""Storage-Keys + Cookie-Namen → CMP-Anbieter ('' wenn unbekannt). Pur."""
blob = " ".join(n.lower() for n in names if n)
for provider, sigs in _PROVIDERS:
if any(s in blob for s in sigs):
return provider
return ""
def _is_versioned(provider: str, stored_value: Optional[str]) -> bool:
"""True, wenn der gespeicherte Consent eine Version/Consent-Liste trägt
(Indiz für nachvollziehbare Historie)."""
if not stored_value:
return provider in _HISTORY_CAPABLE # Capability auch ohne Wert
low = stored_value.lower()
return any(t in low for t in ("version", "consents", "timestamp", "consentid"))
async def detect_consent_history(page: Any) -> dict:
"""Liest Storage/Cookies + DOM und liefert:
{provider, stored, versioned_consent, history_capable, withdraw_ui}."""
keys: list[str] = []
try:
keys = await page.evaluate("() => Object.keys(window.localStorage || {})")
except Exception:
keys = []
cookie_names: list[str] = []
try:
cookie_names = [c.get("name", "") for c in await page.context.cookies()]
except Exception:
cookie_names = []
provider = classify_provider(list(keys) + cookie_names)
stored_value = None
if provider == "Borlabs":
try:
stored_value = await page.evaluate(
"() => localStorage.getItem('borlabs-cookie') || "
"localStorage.getItem('BorlabsCookie')")
except Exception:
stored_value = None
versioned = _is_versioned(provider, stored_value)
withdraw = False
try:
withdraw = await page.locator(_WITHDRAW_SELECTOR).count() > 0
except Exception:
withdraw = False
return {
"provider": provider,
"stored": bool(provider),
"versioned_consent": versioned,
"history_capable": versioned or provider in _HISTORY_CAPABLE,
"withdraw_ui": withdraw,
}
consent-tester/services/consent_scanner.py
+10
View File
@@ -81,6 +81,9 @@ class ConsentTestResult:
# Backend embedded das als <img> in der Mail — visueller Beweis
# "so sah das Banner zum Audit-Zeitpunkt aus".
banner_screenshot_b64: str = ""
# #62: Consent-Historie/Widerruf (Borlabs-Stil) — Provider, versionierter
# Consent (historie-fähig), dauerhaftes Widerruf-Widget.
consent_history: dict = field(default_factory=dict)
def _apply_edge_case_findings(result, url: str = "") -> None:
@@ -274,6 +277,13 @@ async def run_consent_test(
except Exception as _se:
logger.warning("P85: banner screenshot failed: %s", _se)
# #62: Consent-Historie/Widerruf (Borlabs-Stil) erkennen.
try:
from services.consent_history import detect_consent_history
result.consent_history = await detect_consent_history(page_a)
except Exception as _che:
logger.warning("consent-history detection failed: %s", _che)
await ctx_a.close()
if not banner.detected:
consent-tester/services/scan_matrix_summary.py
+2
View File
@@ -63,6 +63,8 @@ def matrix_scan_dict(result: Any) -> dict:
getattr(result, "banner_has_dse_link", False)),
"banner_text_issues": len(banner_text_violations),
},
# #62: Consent-Historie/Widerruf (Borlabs-Stil).
"consent_history": getattr(result, "consent_history", {}) or {},
# Oberflächen-Befunde je Engine (die 20 Banner-Checks: Button-Prominenz,
# Toggle-Vorauswahl, Einleitungstext/Links …) — Text + Severity +
# Norm-Bezug. Aggregierte Maßnahmen folgen im Cross-Finding.