Script Blocking
CookieBoss can prevent third-party scripts from executing until the visitor consents to the relevant cookie category. This is the most reliable way to ensure GDPR compliance.
How it works
- You add
data-cookieboss-categoryandtype="text/plain"to scripts you want to block - CookieBoss reads these attributes and keeps scripts blocked until consent is given
- When the visitor consents, CookieBoss replaces the blocked scripts with executable versions
- A
MutationObserverwatches for dynamically-added scripts, blocking them too
Basic usage
Add two attributes to any script you want to control:
<!-- Before: uncontrolled script -->
<script src="https://example.com/analytics.js"></script>
<!-- After: blocked until analytics consent -->
<script
src="https://example.com/analytics.js"
type="text/plain"
data-cookieboss-category="analytics"
></script>The type="text/plain" prevents the browser from executing the script. CookieBoss changes it back to text/javascript when the visitor consents to the specified category.
Categories
Use these category values in data-cookieboss-category:
| Category | Use for |
|---|---|
analytics | Google Analytics, Plausible, Mixpanel, Hotjar |
marketing | Meta Pixel, Google Ads, LinkedIn Insight, TikTok Pixel |
functional | Chat widgets, video embeds, personalization tools |
Scripts with no data-cookieboss-category attribute are not blocked — they run normally.
The necessary category cannot be blocked. Scripts essential for your site to function should not have the data-cookieboss-category attribute.
Examples
Google Analytics
<script
async
src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX"
type="text/plain"
data-cookieboss-category="analytics"
></script>
<script type="text/plain" data-cookieboss-category="analytics">
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-XXXXXXX');
</script>Meta (Facebook) Pixel
<script type="text/plain" data-cookieboss-category="marketing">
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', 'YOUR_PIXEL_ID');
fbq('track', 'PageView');
</script>HubSpot
<script
type="text/plain"
data-cookieboss-category="marketing"
id="hs-script-loader"
async
defer
src="//js.hs-scripts.com/YOUR_HUBSPOT_ID.js"
></script>Inline scripts
Inline scripts work the same way:
<script type="text/plain" data-cookieboss-category="functional">
// This code only executes after functional consent
initChatWidget({ apiKey: 'xxx' });
</script>Dynamic scripts
CookieBoss uses a MutationObserver to watch for scripts added to the DOM after page load (e.g. by other JavaScript). If a dynamically-inserted script has data-cookieboss-category, it will be blocked until consent is given.
Combine with Google Consent Mode
For Google tags specifically, you can use Google Consent Mode V2 instead of script blocking. GCM lets Google tags run in a restricted mode rather than blocking them entirely, which preserves conversion modeling.