Blog

I must admit it, I like to use data-attributes for user clicks interactions rather than delegating that work on the IT team or relying on the class/id attributes. ( Data Attributes Tracking ) .

For Universal Analytics, this was some kind of easy work, since we had some fixed data attributes names (category, action, label, value when talking about events, or pagepath if we wanted to use a virtual pageview ). With the new event based tracking model on Gooogle Analytics 4 ( GA4 , formerly APP+WEB ), this has change, and we have a single hit type which is going to be an “event” all the time, but them we have an unlimited possiblities of parameter names.

On this post I’ll showing my approach to automate the events tracking on Google Analytics 4 using data attributes. Let’s go for it.

First we’ll need a data-attribute named “data-ga4-event” , this one will allow us on the next steps to setup a CSS Selector to trigger our tags.

Then for the events parameters we’ll use the following format: data-ga4-param-{{PARAM_NAME}} .
Note that data attributes use kebab-case, so we’ll using is as “clicked-link-url”

Let’s now see some examples. A simple event without parameters will look like this:

<button id="cta"
data-ga4-event="cta click"
>CHECKOUT</button>

and if we need to pass some paraemters it will look like:

<a href="https://twitter.com/thyng"
    data-ga4-event="social_link_click"
    data-ga4-param-social-network-name="twitter"
    data-ga4-param-social-network-user="thyng"
>Follow me on Twitter</button>

You may now be thinking, that would need a separate JS snippet for each event, but we’ll be using some JS magic to automatically convert this data attribute tagging on dataLayer pushes automatically.

(function() {
    // Grab all tagged elements
    var events = document.querySelectorAll('[data-ga4-event]');
    var unCamelCase = function(str, separator) {
        separator = typeof separator === 'undefined' ? '_' : separator;
        return str.replace(/([a-z\d])([A-Z])/g, '$1' + separator + '$2').replace(/([A-Z]+)([A-Z][a-z\d]+)/g, '$1' + separator + '$2').toLowerCase();
    }
    for (var i = 0; i < events.length; i++) {
        events[i].addEventListener('click', function(event) { 
            var target = event.currentTarget;
            if(target){             
                var dl = {} 
                dl['event'] = target.dataset['ga4Event'];
                Object.entries(target.dataset).forEach(function(e) {
                    var key = e[0];
                    var value = e[1]
                    var m = key.match('ga4Param(.+)');
                    if (m && m[1]) {
                        dl[unCamelCase(m[1],'_')] = value;
                    }
                })                
                window.dataLayer.push(dl);
            }
                        
        });
    }
})()

The snippet above will take care of building a dataLayer push each time a click is performed on a element that has a data-ga4-event attribute, and will take also care of converting all data-param-X attributes in snake_case parameters within our event push.

As example our previous example:

<a href="https://twitter.com/thyng"
    data-ga4-event="social_link_click"
    data-ga4-param-social-network-name="twitter"
    data-ga4-param-social-network-user="thyng"
>Follow me on Twitter</button>

Will turn being the following dataLayer push:

window.dataLayer.push({
    "event": "social_link_click",
    "social_network_name": "twitter",
    "social_network_user": "thyng"
});

Of course you could add some more feature to this snippet, for example for automatically sanitizing the values before the push is sent, or you could build some black list to prevent any non-predefined event to go into your reports.

It’s been a long time since the last post, even more since the last extension update. To be exact it took me around 1 year to have this new version ready.

The main reason for this delay was that I switched how the extension is built at least 5 times. I don’t consider myself a developer which implies that many times I end choosing not the best stack I should. Anyway this has been a real opportunity for my to learn a lot of new technologies/frameworks I didn’t know about or just I never was able to understand, just to mention some: React / Svelte , WebPack, Rollup, Git, Gulp, Trevis. So at this point I’m really “happy” of all the time “wasted” on refactoring the extension so many times.

In case you’re interested after these so many changes, I ended building the extension using Vue.js 2 and Bulma as the CSS Framework. This has allowed me to build an extension that it’s faster, it’s build on top of some good tecnhologies ( instead of having thousand of non-efficient JS code lines ).

I know that for most people most of the changes won’t be noticiable, mostly because I tried kept the UI as it was in the previous version, but internally everything is different, while also como new features where added.

In the following video, I’m showing an overview of what the new extension has to offer:

GTM/GA Debugger Features

• GTM/GTAG Debug Support
• Multiple dataLayer Support ( View all the dataLayer pushes and current state )
• View all Universal Analytics Hits being sent
• View all GA4 (App+Web) Hits being sent
• Filter out the hits by the type or property/stream ids
• Filter out the dataLayer pushes by their type ( core, ga4, custom, etc )
• Parse Hits payload to see a human.friendly keys translation
• Enhanced Ecommerce Report ( based on GA/GA4 hits )
• All Reports are in Real Time
• Copy any Hit/dataLayer push info to the clipboard in a friendlyu format within a mouse click
• Trace any Hit/dataLayer push
• Real Time GA hits Payload debugging
• More …

I really lost track all everything that was added on this specific release, so I’m providing a quick Changelog

Changelog

• [NEW] – Now it’s based on Vue2.js + Bulma
• [NEW] – GA4 Hits Full Support
• [NEW] – GA4 Ecommerce Support
• [NEW] – Multiple dataLayer Support
• [NEW] – Multiple GTAG/GTM Containers support
• [NEW] – Copy hits as string
• [NEW] – Hits Stack Trace Reporting
• [NEW] – Hits Debug ( run the hits againts official GA debug endpoint )
• [NEW] – DataLayer Pushes Stack Trace Reporting
• [NEW] – GTM Preview Enhancer
• [ENHANCEMENT] – Debugging can be started clicking on a button rather than needing to press F5
• [ENHANCEMENT] – Improved GTM/GA/GA4 detection – Faster detection delay
• [ENHANCEMENT] – Improved GTM/GA/GA4 detection – Better accuracy
• [ENHANCEMENT] – Improved SSR/SPA/PWA pages debugging.
• [ENHANCEMENT] – Pushes/Hits timing are now correct and are shown in the real order they are triggered
• [ENHANCEMENT] – UI is now more responsive, showing a better interface when using it in the sidebar
• [FIX] – All bugs reported ( sites where the tool was not working properly ) has been addresses . Thanks to everyone that helped on reporting
• [FIX] – Incogonito Mode Support
• [FIX] – GA detection for hits non-send to GA endpoints
• [FIX] – GTM detection locally served containers
• [FIX] – +40 Tickets og bugs.

As you may noticed some tools are gone: the Data Attributes Inspector and the Profiler Tab Report, I removed this feature for this release in order to focus on the tool reliability, they will be added back on the next releases.

More news about the extension is that it will be available for Firefox, Opera and Edge ( as soon as I can’t have it approved on their marketplaces )

Now I’m looking for some betatesters that will help me on identifying issues on some new releases. Yay!.

Last big new is that hit the 40.000 users this past week. Yeah, according to Chrome Store data, the extension is being used by more than 40K users weekly, I’d never thought the tool was end having these many users, but also this created some “responsability” at my side that I’m currently not sure how to handle it.

In the last year I declined all the extension puchase offers and also I didn’t accept any offer for adding ads within the tool, I really want to keep this tool free of ads, but it really takes lot of time. Because of this I decided to start accepting donations via Ko-Fi, Getting some help this will allow to publish updates more regularly. This is some totally opcional, I’ll keep working on the extension anyway, but some people in the past asked for being able to help.

Click on the button below if the extension has been helpful for your work:

Now if you are not still using the extension you can get it for free in the following link: INSTALL EXTENSION

Around end of 2019, Google Analytics dropped the Network Domain and Service Provider dimensions support from their reports making an official announment in February about it.

These 2 dimensions, where widely used to fight the spam in Google Analytics and there have been a lot of posts going around this topic in the last months. Simo Ahava wrote about how to collect the ISP data third party service in you want to check it.

On this post we’ll learning what’s an Autonomous System and how we could use this info to try to fight the spam. And coolest part is that we’ll be able to use a free database for this. Continue reading 🙂

There are some other services and commercial databases that will provide this details, but let’s be honest there’re some big handicaps:

• If you use a free services, you will hit the limit quota quickly
• If you have a high traffic website this is not going to be cheap

There’re basically 3 different types of subscriptions, SaaS ( they host the app and the database, DB ( you host the Database and the query system ), WebService.

I’m attaching a list of some of the providers available, in case you want to check them.

In any case there are a lot of posts around this topic on the web, and I’m trying to give this issue a new solution.

MaxMind provides their GEO LITE databases for Free , these database are updated weekly ( on Tuesdays to be exact ) and they provide info about:

• Countries
• Cities
• ASN

The main difference on this databases with the paid ones is how accurate they are and how often they get updated. This accuracy may be an problem when we need to target users based on their city, but this time this is not what we’re looking for, we’ll looking at their ASN database.

If you are wondering ASN stands for Autonomous System Number. According to the Wikipedia:

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.^[1]

https://en.wikipedia.org/wiki/Autonomous_system_(Internet)

ASNs are a “big” routers on the ISPs and datacenters that are in charge of announcing the IP addreses they hold. ( sorry for this unaccurate description, trying to make this simple ) in order to let other AS to know how to reach their IP addreses.

Each ISP usually have their own ( they can have more than 1 ) . ASN. For example one of main ASN in Google is: AS15169 registered to Google LLC, and this Autonomous System manages 9.5 millions IPs from Google:

This means that we could query any IP address we and the ASN database will return their current ASN that it belongs to.

For example we may query Google DNS’s IP address: 8.8.8.8 and the database will return the AS number and the organization name:

Array
(
    [autonomous_system_number] => 15169
    [autonomous_system_organization] => GOOGLE
)

Some other examples let’s query for this Fastly CDN IP address 151.101.134.133

Array 
(
   [autonomous_system_number] => 54113 
   [autonomous_system_organization] => FASTLY
)

Or let’s query for an IP in a dedicated servers provide like LiquedWeb

Array
(
    [autonomous_system_number] => 32244
    [autonomous_system_organization] => LIQUIDWEB
)

We could use the AS Number and the Organization names as a way to try to catch the spam, since most spam traffic is likely going to come from a co-location / vpn providers that we could identify this way.

Since it’s a database we’ll need to setup a small endpoint in our domain in order to be able to query it. This implies some IT development but in the other side it has some big wins:

There will be NO query limits.

The cost of having this solution running is the cost endpoint development

We could have our website developer querying this info via server-side and have this data pushed to the dataLayer instead of needing to have an extra XHR request and needing to delay the hits, YAY!

Now, in the order side of the road there some handicaps:

• Not as accurate data as network/domain in other databases
• Data freshness accuracy won’t be premium, but as we all know GA wasn’t either.
  

Getting the ASN DB

As I’ve mentioned above the GeoLite ASN database is free and you’ll be able to get it after signup for a free account at : https://dev.maxmind.com/geoip/geoip2/geolite2/

PHP Example

Another good point is that MaxMind already provides libreries for PHP/NodeJS/Perl and other languages to help on reading querying their GEOLite databases, which helps on setting up our endpoint.

As usual I’m providing a example for PHP, since it’s the most widly used language and the one that it’s avaiable on almost any hosting around the world

If we don’t have composer installed yet, that’s gonna be our first step:

curl -sS https://getcomposer.org/installer | php

next, we’ll be installing the needed dependences

php composer.phar require geoip2/geoip2:~2.0

<?php
require_once 'vendor/autoload.php';
use GeoIp2\Database\Reader;
$ip_as_details = new Reader('geo/GeoLite2-ASN.mmdb');
$asn_details = $ip_as_details->get('8.8.8.8');
// As this point we could build a JSON and send it back to the browser.
print_r($asn_details);

Last step will be passing back this info to Google Analytics using a custom dimension, so we can use it in our filters or segments.

Extra – Grabbing the network domain

I was about to publish the post and I decided to add a little extra , let’s also learn how to track the “network domain” .

Google Analytics was using the IP’s PTR for the “network domain” . Again you may wonder what’s “PTR” , and it stands for “Pointer record” and it basically resolves an IP to a FQDN ( fully-qualified domain name ). This is it’s the inverse of a A DNS Record.

For example we can make a Reverse IP Lookup to google DNS’s and it will return “dns.google”.

root@sd1:/# nslookup
> set q=ptr
> 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53
Non-authoritative answer:
8.8.8.8.in-addr.arpa    name = dns.google.

Or we may try with one Google Bot IP address, which most sea must be familiar

> set q=ptr
> 66.249.66.1
Server:  dns.google
Address:  8.8.8.8
Non-authoritative answer:
1.66.249.66.in-addr.arpa        name = crawl-66-249-66-1.googlebot.com

Last example let’s query google.com IP address

> set q=a
> google.com
Server:  dns.google
Address:  8.8.8.8
Non-authoritative answer:
Name:    google.com
Address:  172.217.17.14
> set q=ptr
> 172.217.17.14
Server:  dns.google
Address:  8.8.8.8
Non-authoritative answer:
14.17.217.172.in-addr.arpa      name = mad07s09-in-f14.1e100.net

If we want to have the network domain info back in our GA reports we’ll just need to parse the hostname of the PTR for grabing just the root domain, on this last case it would be: 1e100.net .

I wouldn’t advise about tracking to full ptr hostname for 2 reasons: First mosts of hostname are a mix of the IP address + a the ISP domain which will be agains the GDPR ( we cannot record the user’s IP address ) and also it will create a high cardinality which won’t help on analyzing the data.

Now, remember that we were building and endpoint in PHP to get the ASN details, just some more lines of data would allow to have the network domain pushed into our datalayer! 🙂

$ip_ptr = gethostbyaddr('8.8.8.8');

Dealing with getting the root domains, can be a pain task due to all the new domain tlds and needing to have in mind the third level tlds. In case you want to have this done easily you can use the following PHP library https://github.com/utopia-php/domains , which will let you grab the “registable” domain name within a hostname

require_once '../vendor/autoload.php';
use Utopia\Domains\Domain;
// demo.example.co.uk
$domain = new Domain('demo.example.co.uk');
$domain->get(); // demo.example.co.uk
$domain->getTLD(); // uk
$domain->getSuffix(); // co.uk
$domain->getRegisterable(); // example.co.uk
$domain->getName(); // example
$domain->getSub(); // demo
$domain->isKnown(); // true
$domain->isICANN(); // true
$domain->isPrivate(); // false
$domain->isTest(); // false

I’m providing the example in PHP language, but it doesn’t mean you have to use it at all, this code/idea can be developed on almost any server-side language you may be using. In the last instance you run a small VM or VPS to have a PHP environment where you can host your endpoint :).

Despite you being a SEO or not, I’m sure you’re aware of how important the WPO ( Web Performance Optimization ) and this of includes of course how fast your site loads. The faster it loads the better for your users ( and better for the conversion rates they say … ).

At this point you may have heard about HTTP/2 (2015) , which the replacement for the oldie HTTP/1.1 ( 1995) , you have even heard about http/3 ( last draft Feb 2020 ), which is ever a more modern Hypertext Transfer Protocol, witch runs over QUIC transport layer protocol and that now run over UDP instead of TCP.

Ok, I know all this may be too much unneeded technical details, but I found some clients that may have some different websites/servers, and they need to track their sites performs

Sooo, this time we’re going to learn how to track the request protocol version using for loading the current page and pushing it back to Google Analytics as a Custom Dimension.

We’ll need to create the following Custom JavaScript Variable in Google Tag Manager, We’ll be using it later in our Google Analytics Tags.

// getProtocolVersion()
function(){
    // Search on performance API for the navigation type entry and grab the info if available
    if(window.performance && window.performance.getEntriesByType("navigation") && window.performance.getEntriesByType("navigation").length > 0 && window.performance.getEntriesByType("navigation")[0].nextHopProtocol){
        return window.performance.getEntriesByType("navigation")[0].nextHopProtocol;        
    // This is deprecated on Chrome, but better checking in in case performance fails :)    
    }else if(window.chrome && window.chrome.loadTimes() && window.chrome.loadTimes().connectionInfo){
        return window.chrome.loadTimes().connectionInfo;        
    }else{
        // If nothing is available let's record the Scheme
        return document.location.protocol ? document.location.protocol.match(/[^:]*/)[0] : "(not set)";
    }
}

This piece of code mainly relies on the window.performance API from the browser, If it’s not available for any reason ( old browsers ) , a (not -set) will be set. ( NOTE: There’s a deprecated API in Chrome Browers: chrome.loadTimes(), that we’ll be checking in case performance is not available ).

What we do is checking for the “navigation” type entry in the performance API. Since we just need to know the main html request protocol details. ( the request that contains our HTML source )

After that we should be able to see the info in the preview mode, check the following screenshot:

Now we just need to create a new custom dimension index ( hit scope ) and map the value to this newly created variable. Or pass it as a Parameter to the page_view event if you’re already using APP+WEB Properties

This is going to be a quick post about how to track in-app visits from Android devices.

When an Android App opens a website in a webview ( in-app visit ), the visit usually comes with an special referrer, It does start with “android-app” referrer string, here you can see a log line about how the referrers comes up.

77.XXX.XXX.XXX - - [20/Mar/2020:11:20:10 +0000] "GET /in-app-test HTTP/1.0" 200 1580 "android-app://org.telegram.messenger" "Mozilla/5.0 (Linux; Android 10; GM1913) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Mobile Safari/537.36"

Since this is a non standard referrer format (it doesn’t start with http), we could easily detect these visit with these rules:

• It doesn’t start with “http”
• It isn’t an empty value

Refer to the following trigger for Google Tag Manager:

This will only fire on the landing page ( subsequents pageviews will have a referrer starting with http ),then we’ll just have an event per session, We could for example fire a non-interactional event to Google Analytics.

And, then the events will start showing up in the real-time reports,

We could also calculate this within a Custom Variable in Google Tag Manager , and use it to force the visit attribution if needed, since Google Analytics will ignore the non-standard referrers and reports them as Direct Traffic.

function(){
  if (!document.referrer.match(/^http.*/) && !document.referrer.match(/^$/)){
      return document.referrer;
  }  
}

Before someone asks it’s not possible to detect the in-app visits from iOS afaik, and this won’t help on tagging these apps that open up a link into an standalone browser (like Whatsapp does).

Also I’m not 100% sure that all Android versions/apps will report thing the same way, but it seems to be common on latests android versions and major apps.

NOTE: I want to start this post with a big disclaimer over it I’m not publishing it in order to tell anyone how they should be doing the Google Analytics tracking to comply with the GDPR / CCPA .

The goal of this post being able to start an open discussion about the reliability of this exposed method and any final decision should be taken the site owners under their own responsability.

One of biggest issues I ( my clients ) are hitting when implementing a hard “cookies-consent wall” is that they would likely lost all the attribution info for at least all the people that bounces. Which can be a disaster if you use Google Analytics for reporting about how your investments in marketing are working. ( not to mention that losing the info about pageviews, sessions, for all that many amount of traffic ).

Let me show you my proposal for setting up Google Analytics for when the users didn’t yet selected an option for their cookies preferences:

Then, what are we doing here:

• If the current user didn’t yet selected his preference, we’ll be launching a pageview hit to Google Analytics
• This is not an standard hit/tracker initialization. It’s a stateless tracker with all the cookies writing disabled, the IP Anonymization enabled and with the AdsFeatures forcely set to false.

if (!userConsent) {
  ga('create', 'UA-123123123-123', 'auto', {
    'storage': 'none',
    'storeGac': false,
    'anonymizeIp': true,
    'allowAdFeatures': false
  });
  // We'll save the current clientId into a variable,
  // if later on, the user gives it's consent, we'll be using 
  // to write the cookie
  ga('set', 'customTask', function(tracker) {
    window._gacid = tracker.get('clientId');
  });
  ga('send', 'pageview');
}

At this point when the user lands we’ll be launching a pageview in order to track that session start, but no cookie will be used ( if the users reloads a new clientId will be genarated ). If at some point the user accepts the cookies, we’ll write down the uses random-generated-clientId into the cookie and we’ll be able to properly track the user journey.

All the tracking happens ( imo ) in a first-party content, and we’re respecting the user privacy while we takes a decision. It’s just an extra “anonymized” session starting hit, that will allow to keep a vision from where our traffic is coming.

Of course after the user has choosen not to be tracked, so this should only be used while our “consent-cookie” is not present, from that point on, we should obey to what our cookies states.

I really feel this respects the GDPR since there won’t be any cookies if the users doesnt’ explicitly allow it, and we’ re taking extra steps to protects the user privacy in all other ways we can when sending the hit.

In any case, I’m not a lawer nor an expert on user-privacy, so I’d love to have feedback from other people on this.

DISCLAIMER: This post in NOT mean to show a law-approved way to use Google Analytics. Please get a proper advise from an user-privacy expert or from your lawer before implementing your tracking the way is showed on this post.

It has been a hard week with all these vendors announcing the Four Hoursemen of the Cookies Apocalypse arrival.

There’re a lot of changes coming when we talk about cookies ( 1st, 3rd party ), ITP, GDPR, CCPA,etc . I understand it may be a terrible headache for anyone but we need to keep some calm.

Last update has came from Google Chrome, which was expected to start blocking the cookies not containing the sameSite attribute on 4th February. Luckily they have postponed around 2 weeks ( for now ).

One of the main concerns about this latests Chrome update 80 is that it’s not up to us to fix things ( or it is? ). If a cookie is being set via JS, that JS owner is the one in charge for setting the cookie properly. So we may expect some old libraries not being updated on time, or some vendors not even caring about taking care of this properly.

In order to deal with the sameSite switch for cookies, I’m releasing today a JS snippet that will hook in the document.cookie execution flow and will take care of two main tasks:

• Reporting all the cookies that are not setting the sameSite value properly ( remember they need to have the sameSite and the Secure switches )
• If we decide to turn it on, the script will be able to automatically add sameSite and Secure parameters automatically!

The script I’m sharing will take care reporting on the window.load event a list of cookies that didn’t either set the sameSite or the Secure switches for the cookies, and will also report the cookie name, if the cookie setting has been autofixed and the original and fixed cookie setting string.

{
'event': 'samesite-cookies-report',
'cookiesList': [{
                            'cookieName': {{cookie.name}},
                            'cookieSameSite': {{cookie.secure}},
                            'cookieSecure': {{cookie.sameSite}},
                            'autofixed': {{autoFix}},
                            'originalCookieString': {{cookie.string}},
                            'fixedCookieString': {{cookie.fixedString}}
}]
}

Then based on the samesite-cookies-report event on Google Tag Manager you could push this details as an event to Google Analytics or report it to anywhere else.

Main point of this script is being able to monitorize any cookie being set somewhere in our website, so we can contact their stakeholder to have it fixed as soon as posible

(function() {
  try {
    // Set this to true if you want to automatically add the sameSite attribute        
    var autoFix = false;
    var cookiesReportList = [];

    // Detecting if the current browser is a Chrome >=80
    var browserDetails = navigator.userAgent.match(/(MSIE|(?!Gecko.+)Firefox|(?!AppleWebKit.+Chrome.+)Safari|(?!AppleWebKit.+)Chrome|AppleWebKit(?!.+Chrome|.+Safari)|Gecko(?!.+Firefox))(?: |\/)([\d\.apre]+)/);
    var browserName = browserDetails[1];
    var browserVersion = browserDetails[2];
    var browserMajorVersion = parseInt(browserDetails[2].split('.')[0]);

    // We only want to hook the cookie behavior if it's Chrome +80 
    if (browserName === 'Chrome' && browserMajorVersion >= 80) {
      var cookie_setter = document.__lookupSetter__('cookie');
      var cookie_getter = document.__lookupGetter__('cookie');

      Object.defineProperty(document, "cookie", {
        get: function() {
          return cookie_getter.apply(this, arguments);
        },
        set: function(val) {
          var cookie = {
            name: '',
            sameSite: false,
            secure: false,
            parts: val.split(';'),
            string: val
          }
          cookie.parts.forEach(function(e, i) {
            var key = e.trim();
            cookie.parts[i] = e.trim();
            if (i === 0) {
              cookie.name = key.split('=')[0];
            }
            if (key.match(/samesite/)) {
              cookie.sameSite = true;
            }
            if (key.match(/secure/)) {
              cookie.secure = true;
            }
          });
          if (cookie.sameSite === false || cookie.secure === false) {
            if (autoFix === true && document.location.protocol==="https:") {
              if (arguments[0][arguments[0].length - 1]) {
                arguments[0] = arguments[0].substring(0, arguments[0].length - 1);
              }
              if (cookie.sameSite === false) {
                arguments[0] = arguments[0] + '; sameSite=None';
              }
              if (cookie.secure === false) {
                arguments[0] = arguments[0] + '; secure';
              }
            }
            cookiesReportList.push({
              'cookieName': cookie.name,
              'cookieSameSite': cookie.sameSite,
              'cookieSecure': cookie.secure,
              'autofixed': autoFix,
              'originalCookieString': cookie.string,
              'fixedCookieString': arguments[0]
            });
          }
          return cookie_setter.apply(this, arguments);
        }
      });
    }
    window.addEventListener('load', function(event) {
      dataLayer.push({
        'event': 'samesite-cookies-report',
        'cookiesList': cookiesReportList
      });
    });
  } catch (err) {}
})();

On the top of code you may see the following line:

var autoFix = false;

ok, if we change this to true, the script will automatically take care of accordingly adding the missing parts 🙂

One of the things to have in mind is that we need this code to be run as soon as possible on the page execution flow, so if we’re setting this via GTM, we’ll need to setup this tag to fire on the first event on the page ( most of time will be “All Pages ), and give it some extra priority:

WARNING: If you only plan to use this script as a reporting tool you can stay safe. If you plan to use the autofixing feature, please have in mind that I only tested in some sites of mine, so it’s your liability to properly setting and testing it up in your site before going live.

If you’re really interested on knowing more about how cookies are updating their behaviour to protect the users privacy, best place is https://www.cookiestatus.com/ . A site where my friend Simo is collecting all the info about almost all the mainstream browsers out there.