User story
As a publisher using Osano as its consent management platform, I want Trusted Server to read the visitor's Osano consent choices at the edge so that Edge Cookie generation, withdrawal, and auction identity behavior honor the user's consent state.
Problem
Trusted Server's consent pipeline currently reads request-visible standard consent signals:
euconsent-v2__gpp__gpp_sidus_privacySec-GPC
Osano exposes consent in the browser through window.Osano.cm and the IAB APIs (__tcfapi, __uspapi, __gpp), but some Osano deployments persist consent primarily in Osano-managed browser storage and do not automatically write the standard cookies Trusted Server reads on the next request.
That creates a transport gap: the browser has a valid CMP decision, but the edge request may not include a consent cookie. In regulated jurisdictions, Trusted Server then fails closed and skips EC creation even after the user has made an allowed choice. Conversely, explicit opt-out/withdrawal choices need to be transported to the edge so an existing EC cookie can be expired and tombstoned.
Proposed solution
Build a JS-only Osano integration modeled after the existing Sourcepoint consent mirror:
- Initialize when
window.Osano.cm is available.
- Listen for Osano consent lifecycle events, including saved/new consent and returning-consent initialization.
- Read IAB-compatible signals from Osano's browser APIs:
__uspapi('getUSPData', 1, ...) for US Privacy string.__gpp('ping', ...) for GPP string and applicable sections when ready.__tcfapi('getTCData', 2, ...) for GDPR/TCF consent when applicable.
- Mirror those values into first-party standard cookies for the next request:
us_privacy=<uspString>__gpp=<gppString>__gpp_sid=<comma-separated applicable section IDs>euconsent-v2=<tcString> when a TCF TC string is present
- Use a Trusted Server marker cookie, similar to
_ts_gpp_src=sp, so the Osano mirror only updates or clears cookies it owns and does not clobber another CMP's values.
- Keep the mirror bounded and fail-safe: if Osano or an IAB API is unavailable/not ready, do not fabricate consent; retry briefly and then wait for future Osano events/focus/visibility refresh.
Acceptance criteria
- A new Osano JS integration mirrors Osano consent to standard cookies readable by Trusted Server.
- US no-opt-out state results in
us_privacy indicating no sale opt-out, allowing EC generation on subsequent eligible requests.
- US opt-out state results in
us_privacy indicating sale opt-out, blocking EC generation and allowing existing EC withdrawal handling to run.
- GDPR/TCF state mirrors
euconsent-v2 when a TC string is available.
- GPP state mirrors
__gpp and __gpp_sid only when the GPP API reports a ready signal with a non-empty string.
- The integration preserves consent cookies written by another CMP unless a Trusted Server Osano marker indicates ownership.
- Unit tests cover accept, deny/opt-out, unavailable API, not-ready GPP, marker ownership, and clearing stale Osano-owned cookies.
- No real publisher domains, customer names, or production config values are added to tests, docs, or examples.
Affected area
- Integrations (prebid, lockr, permutive, etc.)
- Core (Edge Cookies, GDPR)
- JS build pipeline
User story
As a publisher using Osano as its consent management platform, I want Trusted Server to read the visitor's Osano consent choices at the edge so that Edge Cookie generation, withdrawal, and auction identity behavior honor the user's consent state.
Problem
Trusted Server's consent pipeline currently reads request-visible standard consent signals:
euconsent-v2__gpp__gpp_sidus_privacySec-GPCOsano exposes consent in the browser through
window.Osano.cmand the IAB APIs (__tcfapi,__uspapi,__gpp), but some Osano deployments persist consent primarily in Osano-managed browser storage and do not automatically write the standard cookies Trusted Server reads on the next request.That creates a transport gap: the browser has a valid CMP decision, but the edge request may not include a consent cookie. In regulated jurisdictions, Trusted Server then fails closed and skips EC creation even after the user has made an allowed choice. Conversely, explicit opt-out/withdrawal choices need to be transported to the edge so an existing EC cookie can be expired and tombstoned.
Proposed solution
Build a JS-only Osano integration modeled after the existing Sourcepoint consent mirror:
window.Osano.cmis available.__uspapi('getUSPData', 1, ...)for US Privacy string.__gpp('ping', ...)for GPP string and applicable sections when ready.__tcfapi('getTCData', 2, ...)for GDPR/TCF consent when applicable.us_privacy=<uspString>__gpp=<gppString>__gpp_sid=<comma-separated applicable section IDs>euconsent-v2=<tcString>when a TCF TC string is present_ts_gpp_src=sp, so the Osano mirror only updates or clears cookies it owns and does not clobber another CMP's values.Acceptance criteria
us_privacyindicating no sale opt-out, allowing EC generation on subsequent eligible requests.us_privacyindicating sale opt-out, blocking EC generation and allowing existing EC withdrawal handling to run.euconsent-v2when a TC string is available.__gppand__gpp_sidonly when the GPP API reports a ready signal with a non-empty string.Affected area