COOKR – Cookie Consent & Script Blocking

Most consent plugins operate at the UI layer.

COOKR operates at the runtime layer.

Scripts are intercepted server-side before the browser receives them. Third-party services requiring consent are neutralized before execution and restored only after consent has been granted.

No external consent cloud. No proxy layer. No visitor data leaving your site.

COOKR CORE includes:

• Consent banner & preferences UI
• Server-side script interception via PHP output buffer
• Auto-Blocker for third-party scripts and iframes
• Runtime Inspector
• CSP-aware restoration with nonce propagation
• Google Consent Mode v2 support
• Full JavaScript API (window.cookrConsent)
• Self-hosted operation — no external services required

COOKR is designed for developers, agencies, and privacy-conscious site operators who want operational visibility into what actually executes at runtime.

Runtime-first

Traditional consent tools often rely on JavaScript execution order and client-side conditions. Scripts may already execute before consent logic initializes.

COOKR intercepts scripts in the PHP output buffer using WP_HTML_Tag_Processor before delivery to the browser.

There is no race condition.

Auto-Blocker

Enable in Settings. Off by default.

When enabled, COOKR rewrites matching script tags and iframe tags server-side — setting type="text/plain" and preserving original attributes in data-cookr-* attributes for restoration after consent.

Test after enabling when using WP Rocket, LiteSpeed Cache, NitroPack, or Cloudflare Rocket Loader.

Runtime Inspector

The Runtime Inspector exposes third-party runtime activity directly in the browser — blocked scripts, restored services, iframe activity, detected domains.

Enable in Settings. Append ?cookr_debug=1 to any frontend URL while logged in as administrator.

CSP-aware

COOKR supports strict Content Security Policies without requiring unsafe-inline.

Restored scripts preserve CSP integrity via automatic nonce propagation. COOKR reads the nonce WordPress assigns to enqueued scripts at request time and passes it to restored scripts — no manual configuration required.

Developer JS API

cookrConsent.has('analytics')
cookrConsent.require('marketing', callback)
cookrConsent.whenConsented('analytics').then(fn)
cookrConsent.on('consent' | 'change' | 'decline' | 'reset', handler)
cookrConsent.off(event, handler)
cookrConsent.getConsent()
cookrConsent.getExpiry()
cookrConsent.categories()
cookrConsent.reset()

Consent Categories

• Necessary — Always active.
• Analytics — GA, GTM, Matomo, Hotjar, Clarity, etc.
• Marketing — Meta Pixel, Google Ads, TikTok, LinkedIn, etc.
• External Media — YouTube, Vimeo, Google Maps, etc.

Does COOKR require an external cloud service?

No. COOKR runs entirely on your WordPress installation.

Does visitor consent data leave the server?

No. Consent data is stored locally on your site.

Is the Auto-Blocker enabled by default?

No. Enable and test it after installation, particularly when using caching or JavaScript optimization plugins.

Which services can be blocked?

Any third-party script or iframe matching configured domains. Examples: Google Tag Manager, Meta Pixel, YouTube embeds, TikTok Analytics.

Does COOKR support Google Consent Mode v2?

Yes. Enable in settings when using GTM or GA4.

How do I inspect runtime activity?

Enable the Runtime Inspector in settings and append ?cookr_debug=1 to any frontend URL while logged in as administrator.

Does COOKR store personal data?

The consent log stores a hashed IP (not the raw IP address), consent choices, and a timestamp. Raw IP addresses are never written to the database.

Is COOKR compatible with strict CSP?

Yes. COOKR automatically reads the nonce WordPress assigns to enqueued scripts and passes it to restored scripts, preserving compatibility with strict-dynamic CSP policies. No manual configuration is required.

What WordPress version is required?

WordPress 6.2 or higher. COOKR uses WP_HTML_Tag_Processor for safe, attribute-aware script rewriting, introduced in WP 6.2.

External Services

This plugin does not connect to any external service by default.

The auto-blocker contains a built-in list of known third-party domains (such as googletagmanager.com, connect.facebook.net, maps.googleapis.com, etc.) that is used purely as a local reference to identify and block scripts before consent. No data is sent to these domains by this plugin — the list is pattern-matching data stored locally in the plugin code.