Patch release. Fixes LiteSpeed Cache JS Combine compatibility issue that could prevent the consent banner from rendering. Adds automatic optimizer exclusions for LiteSpeed, WP Rocket, Autoptimize, and FlyingPress.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3554198,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3554198,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3554078,"resolution":"1544x500","location":"assets","locale":"","width":2081,"height":756},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3554078,"resolution":"772x250","location":"assets","locale":"","width":2203,"height":714}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.9.10","1.9.11","1.9.12","1.9.8","1.9.9"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3554110,"resolution":"1","location":"assets","locale":"","width":1200,"height":601},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3554110,"resolution":"2","location":"assets","locale":"","width":1200,"height":693},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3554110,"resolution":"3","location":"assets","locale":"","width":1200,"height":710},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3554110,"resolution":"4","location":"assets","locale":"","width":1200,"height":669},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3554110,"resolution":"5","location":"assets","locale":"","width":525,"height":828},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3554110,"resolution":"6","location":"assets","locale":"","width":525,"height":683},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3554110,"resolution":"7","location":"assets","locale":"","width":525,"height":853}},"screenshots":[]},"plugin_section":[],"plugin_tags":[20011,20272,131785,234433,396],"plugin_category":[54],"plugin_contributors":[264974],"plugin_business_model":[],"class_list":["post-318207","plugin","type-plugin","status-publish","hentry","plugin_tags-consent","plugin_tags-cookie-banner","plugin_tags-gdpr","plugin_tags-google-consent-mode","plugin_tags-privacy","plugin_category-security-and-spam-protection","plugin_contributors-danjed","plugin_committers-danjed"],"banners":{"banner":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/banner-772x250.png?rev=3554078","banner_2x":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/banner-1544x500.png?rev=3554078","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/icon-128x128.png?rev=3554198","icon_2x":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/icon-256x256.png?rev=3554198","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-1.png?rev=3554110","caption":""},{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-2.png?rev=3554110","caption":""},{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-3.png?rev=3554110","caption":""},{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-4.png?rev=3554110","caption":""},{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-5.png?rev=3554110","caption":""},{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-6.png?rev=3554110","caption":""},{"src":"https:\/\/ps.w.org\/cookr-cookie-consent-script-blocking\/assets\/screenshot-7.png?rev=3554110","caption":""}],"raw_content":"\n
GDPR cookie consent with real script blocking.<\/p>\n\n
Block Google Analytics, Google Tag Manager, Meta Pixel, Hotjar, YouTube embeds, and other third-party services before they reach the browser.<\/p>\n\n
Unlike JavaScript-based consent tools, blocked scripts never reach the browser at all.<\/p>\n\n
Most cookie consent plugins display a banner and rely on JavaScript to stop tracking scripts. In many cases, those scripts can begin loading before the visitor has made a choice.<\/p>\n\n
COOKR takes a different approach.<\/p>\n\n
Scripts are blocked server-side before page delivery. Third-party services cannot execute until consent is explicitly granted. This helps website owners meet GDPR and TTDSG requirements more reliably.<\/p>\n\n
Avoids the client-side race conditions common to JavaScript-only consent tools. No script guessing. No \"hope it loads in time.\"<\/p>\n\n
Consent enforcement instead of consent theatre.<\/p>\n\n
\u2713 Server-side script blocking \u2014 blocked before the browser receives them\n\u2713 Google Consent Mode v2 support\n\u2713 No external consent cloud\n\u2713 No proxy infrastructure\n\u2713 No visitor data sent to third parties\n\u2713 Works entirely on your WordPress installation<\/p>\n\n
Built for site owners, agencies, and developers who want real GDPR cookie consent enforcement.<\/p>\n\n
COOKR CORE includes:<\/p>\n\n
window.cookrConsent<\/code>)<\/li>\n- Self-hosted operation \u2014 no external services required<\/li>\n<\/ul>\n\n
COOKR RADR additionally includes:<\/p>\n\n
\n- Privacy Radar \u2014 runtime detection and classification of third-party services<\/li>\n
- Enforcement Verification Framework \u2014 structured protocol for proving enforcement claims<\/li>\n
- Compatibility Matrix \u2014 tested stack database with VERIFIED\/PARTIAL\/UNKNOWN\/FAILED states<\/li>\n
- Automatic optimizer exclusions \u2014 LiteSpeed, WP Rocket, Autoptimize, FlyingPress<\/li>\n
- Curated signature database with automatic weekly updates<\/li>\n<\/ul>\n\n
How It Works<\/h4>\n\n
COOKR intercepts scripts in the PHP output buffer using WP_HTML_Tag_Processor<\/code> before delivery to the browser. Matching script and iframe tags are neutralised server-side and restored only after the visitor grants consent.<\/p>\n\nThere is no client-side race condition because blocking happens before the browser receives the page.<\/p>\n\n
Auto-Blocker<\/h4>\n\n
Enable in Settings. Off by default.<\/p>\n\n
When enabled, COOKR rewrites matching script tags and iframe tags server-side \u2014 setting type=\"text\/plain\"<\/code> and preserving original attributes in data-cookr-*<\/code> attributes for restoration after consent.<\/p>\n\nTest after enabling when using WP Rocket, LiteSpeed Cache, NitroPack, or Cloudflare Rocket Loader.<\/p>\n\n
Runtime Inspector<\/h4>\n\n
The Runtime Inspector exposes third-party runtime activity directly in the browser \u2014 blocked scripts, restored services, iframe activity, detected domains.<\/p>\n\n
Enable in Settings. Append ?cookr_debug=1<\/code> to any frontend URL while logged in as administrator.<\/p>\n\nCSP-aware<\/h4>\n\n
COOKR supports strict Content Security Policies without requiring unsafe-inline<\/code>.<\/p>\n\nRestored scripts preserve CSP integrity via automatic nonce propagation. COOKR reads the nonce WordPress assigns to enqueued scripts at request time and passes it to restored scripts \u2014 no manual configuration required.<\/p>\n\n
Developer JS API<\/h4>\n\ncookrConsent.has('analytics')\ncookrConsent.require('marketing', callback)\ncookrConsent.whenConsented('analytics').then(fn)\ncookrConsent.on('consent' | 'change' | 'decline' | 'reset', handler)\ncookrConsent.off(event, handler)\ncookrConsent.getConsent()\ncookrConsent.getExpiry()\ncookrConsent.categories()\ncookrConsent.reset()\n<\/code><\/pre>\n\nConsent Categories<\/h4>\n\n\n- Necessary<\/strong> \u2014 Always active.<\/li>\n
- Analytics<\/strong> \u2014 GA, GTM, Matomo, Hotjar, Clarity, etc.<\/li>\n
- Marketing<\/strong> \u2014 Meta Pixel, Google Ads, TikTok, LinkedIn, etc.<\/li>\n
- External Media<\/strong> \u2014 YouTube, Vimeo, Google Maps, etc.<\/li>\n<\/ul>\n\n
Does COOKR require an external cloud service?<\/h4>\n\n
No. COOKR runs entirely on your WordPress installation.<\/p>\n\n
Does visitor consent data leave the server?<\/h4>\n\n
No. Consent data is stored locally on your site.<\/p>\n\n
Is the Auto-Blocker enabled by default?<\/h4>\n\n
No. Enable and test it after installation, particularly when using caching or JavaScript optimization plugins.<\/p>\n\n
Which services can be blocked?<\/h4>\n\n
Any third-party script or iframe matching configured domains. Examples: Google Tag Manager, Meta Pixel, YouTube embeds, TikTok Analytics.<\/p>\n\n
Does COOKR support Google Consent Mode v2?<\/h4>\n\n
Yes. Enable in settings when using GTM or GA4.<\/p>\n\n
How do I inspect runtime activity?<\/h4>\n\n
Enable the Runtime Inspector in settings and append ?cookr_debug=1<\/code> to any frontend URL while logged in as administrator.<\/p>\n\nDoes COOKR store personal data?<\/h4>\n\n
The consent log stores a hashed IP (not the raw IP address), consent choices, and a timestamp. The raw IP address is never stored.<\/p>\n\n
Is COOKR compatible with strict CSP?<\/h4>\n\n
Yes. COOKR automatically reads the nonce WordPress assigns to enqueued scripts and passes it to restored scripts, preserving compatibility with strict-dynamic<\/code> CSP policies. No manual configuration is required.<\/p>\n\nWill COOKR work with caching plugins such as LiteSpeed Cache, WP Rocket, or Cloudflare?<\/h4>\n\n
Yes, but always test after enabling script optimization features such as JavaScript combine, defer, delay, or Rocket Loader. COOKR performs script blocking server-side, but aggressive optimization plugins may alter script delivery and should be verified on your site.<\/p>\n\n
RADR v1.9.8 adds automatic exclusion filters for LiteSpeed Cache, WP Rocket, Autoptimize, and FlyingPress \u2014 COOKR registers itself as excluded from JS combination pipelines automatically.<\/p>\n\n
Does COOKR require HTTPS?<\/h4>\n\n
Yes. COOKR requires HTTPS for consent state to persist correctly across page loads. Modern browsers restrict cookie behaviour on HTTP origins \u2014 on HTTP, the consent cookie may not persist, causing the banner to reappear on every page load. HTTPS is also a legal recommendation under GDPR for any site collecting consent.<\/p>\n\n
What WordPress version is required?<\/h4>\n\n
WordPress 6.2 or higher. COOKR uses WP_HTML_Tag_Processor<\/code> for safe, attribute-aware script rewriting, introduced in WP 6.2.<\/p>\n\nExternal Services<\/h3>\n\n
This plugin does not connect to any external service by default.<\/p>\n\n
The auto-blocker contains a built-in list of known third-party domains (such as googletagmanager.com, connect.facebook.net, maps.googleapis.com, etc.) that is used purely as a local reference to identify and block scripts before consent. No data is sent to these domains by this plugin \u2014 the list is pattern-matching data stored locally in the plugin code.<\/p>\n\n\n
1.9.15<\/h4>\n\n\n- Fixed CORE packaging: the build script was incorrectly stripping
assets\/cookr-debug.js<\/code> (the Debug Inspector script) from CORE builds, despite Debug Inspector being a documented, default-on feature in both CORE and RADR. CORE builds now correctly include this file. No functional change to this codebase itself \u2014 RADR was never affected, since it has always included the file directly from source<\/li>\n<\/ul>\n\n1.9.14<\/h4>\n\n\n- Fixed banner overflowing the viewport edge on mobile (\u2264480px):
#cookr-banner<\/code> had no explicit box-sizing<\/code>, so the mobile layout's width: 100%<\/code> plus the banner's existing border was rendered as 100vw + border-width<\/code>, causing the banner to extend ~2px past the right edge of the screen. Added box-sizing: border-box<\/code> to the shared #cookr-banner, #cookr-reopen<\/code> rule so the banner's total rendered width exactly matches the viewport on mobile. No visual change on desktop (320px fixed-width banner)<\/li>\n<\/ul>\n\n1.9.13<\/h4>\n\n\n- Fixed missing CSS for the disabled \"Sync with active theme\" (Theme Sync) field in the admin dashboard: when Scoped Banner Styling (custom CSS \/ a built-in preset) is active, JavaScript already added a
cookr-accent--disabled<\/code> class and an \"Overridden by Scoped Banner Styling\" message to the Theme Sync field \u2014 matching the existing accent-colour picker behaviour \u2014 but admin.css<\/code> only styled this disabled state for the accent field, not the Theme Sync field. The font pills remained fully clickable and visually normal with no indication that font sync was inactive. The disabled-state styling (38% opacity, disabled pointer events, override message) now applies to both fields<\/li>\n- No functional change to font sync itself \u2014 fonts synced from the active theme still only apply to the live banner when no custom CSS\/preset is active (custom CSS retains full control of typography by design). This fix makes that existing, correct behaviour visible and understandable in the admin UI<\/li>\n<\/ul>\n\n
1.9.12<\/h4>\n\n\n- Fixed COOKR CRAZE built-in preset: the minimised (reopen) button was unstyled and the preferences-panel toggle switches showed the site's global accent colour (could be any colour, including red) instead of the preset's green \u2014 the preset never set
--cookr-accent<\/code>, so cookr.css<\/code>'s defaults for #cookr-reopen<\/code> and .cookr-switch input:checked + .cookr-slider<\/code> (both driven by var(--cookr-accent)<\/code>) fell through to the global accent_color setting<\/li>\n- Added
#cookr-banner, #cookr-reopen { --cookr-accent: #00ff88; }<\/code> and #cookr-reopen svg rect { fill: #000000; stroke: #00ff88; }<\/code> to the preset \u2014 toggle switches and the reopen pill\/dot now render in the preset's black\/green theme regardless of the global accent colour setting<\/li>\n- Fixed admin preview panel loading spinner:
@keyframes cookr-spin<\/code> only animates transform: rotate()<\/code>, but the spinner's centering also used transform: translate(-50%, -50%)<\/code> \u2014 animating transform<\/code> between an implicit translate(...)<\/code> start and a rotate(360deg)<\/code> end produced a visible jump\/skip instead of a clean spin. Centering now uses top\/left + negative margin<\/code>, leaving transform<\/code> free for rotation only<\/li>\n- Made the admin preview banner fully static \u2014 removed the cosmetic preferences-panel click handler, and the preview banner \/ reopen button no longer respond to hover or click (
pointer-events: none<\/code>). The preview is a visual reference only, not an interactive demo<\/li>\n- Fixed a critical non-idempotency bug in the custom CSS sanitiser (
cookr_scope_css<\/code>): every settings save re-sanitises the currently saved<\/em> value (the textarea is repopulated with the previously-scoped output), but the selector-mirroring logic was not idempotent \u2014 an already-mirrored selector like #cookr-banner .cookr-inner<\/code> would itself pass the #cookr-\/.cookr- prefix check and get re-added on each save, and the .cookr-title svg<\/code> icon-colour helper would re-fire for both a selector and its mirror, with both copies persisting forward. On real-world installs this had compounded over repeated saves into 150+ duplicate copies of some rules and a single selector list repeated 18 times, ballooning the saved CSS to 220KB. Selectors within each rule and the full set of emitted rules are now deduplicated (exact-string, order-preserving), making the sanitiser idempotent \u2014 re-saving now reproduces the same output instead of growing it. Existing bloated saved CSS will collapse back to its correct minimal form on the next save<\/li>\n<\/ul>\n\n1.9.11<\/h4>\n\n\n- Fixed critical bug in custom CSS sanitiser (
cookr_scope_css<\/code>): a CSS comment placed directly above a rule (e.g. \/* Buttons *\/<\/code> followed by .cookr-btn { ... }<\/code>) caused the comment text to be parsed as part of the selector, failing the #cookr-\/.cookr-\/:root prefix check and silently dropping the entire rule with no error shown to the admin<\/li>\n- CSS comments are now stripped before selector parsing \u2014 fixes silent loss of
:root<\/code> accent overrides and any commented\/sectioned custom CSS<\/li>\n<\/ul>\n\n1.9.10<\/h4>\n\n\n- Added font detection for classic themes that load fonts via enqueued stylesheets (e.g. Kadence default installs) \u2014 previously only customizer-saved typography and block-theme theme.json fonts were detected<\/li>\n
- New detection path parses Google Fonts and Bunny Fonts family names from registered stylesheets on the frontend, cached in a 6-hour transient, invalidated on theme switch<\/li>\n
- Confirmed
Update URI<\/code> header (added in 1.9.9) correctly prevents WordPress.org from offering false update notices on RADR installs<\/li>\n<\/ul>\n\n1.9.9<\/h4>\n\n\n- Fixed banner close behaviour \u2014 added state-aware close button always visible in banner<\/li>\n
- Fixed Escape key \u2014 now follows same state-aware dismiss logic as close button<\/li>\n
- No consent overwrite when closing with stored consent and no unsaved changes<\/li>\n
- Prompts before discarding unsaved preference changes (native confirm dialog)<\/li>\n<\/ul>\n\n
1.9.8<\/h4>\n\n\n- Fixed LiteSpeed Cache JS Combine compatibility \u2014 cookrConfig inline block now isolated to a dedicated script handle, preventing third-party inline errors from aborting COOKR initialisation<\/li>\n
- Added automatic JS exclusion filters for LiteSpeed Cache, WP Rocket, Autoptimize, and FlyingPress \u2014 COOKR registers itself as excluded from JS combination pipelines automatically<\/li>\n
- Updated compatibility matrix schema \u2014 added protocol, protocol_version, test_payload, verification_method, special_checks fields across all entries<\/li>\n
- Recorded first VERIFIED enforcement baseline: WordPress Core, Protocol v1.0, all six test cases passed<\/li>\n
- Recorded LiteSpeed Cache JS Combine finding: FAIL without exclusion, PASS with automatic exclusion<\/li>\n<\/ul>\n\n
1.9.7<\/h4>\n\n\n- Fixed PHP notice in auto-blocker iframe rewrite handling<\/li>\n
- Fixed blocked-status reporting for detected domains<\/li>\n
- Fixed consent log rate-limit bypass edge case<\/li>\n
- Fixed missing policy_version storage in consent records<\/li>\n
- Fixed remote signature update setting persistence<\/li>\n
- Fixed language switcher save-state detection<\/li>\n
- Added full-consent buffer shortcut optimization<\/li>\n<\/ul>\n\n
1.9.6<\/h4>\n\n\n- Compliance improvements for WP.org review<\/li>\n
- Removed generic CDN entries from auto-blocker allowlist<\/li>\n
- Export uses explicit allowlist for safe settings only<\/li>\n
- Build tooling improvements<\/li>\n<\/ul>\n\n
1.9.5<\/h4>\n\n\n- WordPress.org review and compliance-related improvements<\/li>\n
- Internal maintenance and review-related updates<\/li>\n<\/ul>\n\n
1.9.2<\/h4>\n\n\n- Initial public CORE release<\/li>\n
- 3\u00d73 visual position picker replaces dropdown<\/li>\n
- Accent colour now applies to banner icon and buttons in preview<\/li>\n
- Auto-Blocker wording updated \u2014 recommended framing, test-after-enable guidance<\/li>\n
- Runtime Inspector enabled by default<\/li>\n
- Preserve data on uninstall enabled by default<\/li>\n
- Consent log default retention reduced to 100 entries<\/li>\n
- COOKR CRAZE built-in CSS preset<\/li>\n<\/ul>\n\n
1.8.2<\/h4>\n\n\n- Added: Runtime Inspector \u2014 detects unknown third-party script and iframe domains at runtime<\/li>\n
- Added: Persistent findings stored per domain (first seen, last seen, page count)<\/li>\n
- Added: Runtime Inspector toggle with configurable auto-disable duration<\/li>\n<\/ul>\n\n
1.2.0<\/h4>\n\n\n- Added: Google Consent Mode v2<\/li>\n
- Added: debug inspector<\/li>\n
- Added: browser chrome preview in admin dashboard<\/li>\n<\/ul>\n\n
1.1.0<\/h4>\n\n\n- Plugin renamed from GDPR Cookie Consent to COOKR<\/li>\n
- Added: WP_HTML_Tag_Processor for safe, attribute-aware script rewriting<\/li>\n
- Added: CSP nonce propagation<\/li>\n<\/ul>\n\n
1.0.0<\/h4>\n\n\n- Initial release<\/li>\n<\/ul>","raw_excerpt":"GDPR cookie consent with server-side script blocking. Prevent Google Analytics, GTM, Meta Pixel and third-party embeds from loading before consent.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/318207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=318207"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/danjed"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=318207"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=318207"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=318207"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=318207"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=318207"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=318207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}