[hnbad]

These require consent if, for example, they involve the use of a third-party service. Setting a first-party dark mode cookie does not require opting in even if it's "non-essential". It does however require disclosure.

The jury's also still out to what degree third-party cookies need to be disclosed in detail (e.g. whether you really need to keep track of the dozens of cookies Google Maps or YouTube sets or whether you can just refer to their privacy policy for the details). But embeds for YouTube, Twitter, Facebook or Google Maps, or the use of Google Fonts or the use of third-party CDNs for non-essential functionality definitely do require consent (i.e. opt in).

[notpushkin]

I’m wondefing if those embeds would work in an `<iframe sandbox="allow-scripts" />`. This prevents them from reading/writing cookies, but everything else should work fine.

[hnbad]

I don't see how that fixes anything as your browser is transmitting PII simply by fetching the iframe content. The sandbox only limits what they can do client-side, they still get to see your IP and user agent.