Cookie Scout

Description

Cookie Scout helps you display a cookie banner, store consent and control scripts. The plugin can be used locally without an account. Advanced features can be enabled separately.

External services

This plugin communicates with third-party services only when a feature explicitly needs it, or when an administrator has turned that feature on. Below is what is used, why, what data is involved, and when it runs.

Cookie Scout API (dashboard.cookiescout.io)

  • What it is: The Cookie Scout account and configuration service.
  • What it is used for: Optional connected mode: authenticating the site owner, loading banner and policy configuration, blocking rules, categories, and (when enabled) recording consent events from the banner to your Cookie Scout account.
  • What data is sent: API requests may include your site URL, authentication token after you connect, banner or policy fields you save from the settings screens, and consent payloads (consent identifier, category choices, banner version reference, page URL, and language) when the visitor consents and connected mode is active.
  • When it is sent: Only when a site administrator has connected the plugin to a Cookie Scout account and performs actions that require the service, or when visitors submit consent while that connected mode is active.
  • Provider: Cookie Scout — WebsiteAccount dashboardTerms of usePrivacy policy

Google Tag Manager and Google Tag (googletagmanager.com)

  • What it is: Google’s tag hosting and execution platform.
  • What it is used for: If an administrator enters a valid Google Tag Manager container ID (format GTM-…) in the plugin settings, the plugin can load Google Tag Manager on the public site in line with the selected Consent Mode behaviour (standard vs advanced). The browser may then load additional tags configured in that container.
  • What data is sent: The plugin requests Google’s gtm.js (and the GTM noscript iframe when applicable) from Google. Any further requests, cookies, or personal data depend entirely on what the administrator has configured inside Google Tag Manager and the tags fired from it—not on this plugin’s code paths beyond loading GTM when allowed by consent settings.
  • When it is sent: When GTM is configured in settings and, depending on mode, when consent allows statistics or marketing storage, or when advanced Consent Mode is enabled as described in the plugin UI.
  • Provider: Google Ireland Limited / Google LLC — Google Tag Manager termsGoogle privacy policy

Google Fonts (fonts.googleapis.com / fonts.gstatic.com)

  • What it is: Google’s font delivery network.
  • What it is used for: If an administrator selects one of the listed Google fonts for the cookie policy / cookie list appearance, the visitor’s browser loads the corresponding stylesheet (and font files) from Google.
  • What data is sent: Standard web requests as defined by Google (typically IP address and technical headers as part of loading CSS/font assets).
  • When it is sent: Only when a Google font is chosen in settings and a page that outputs the policy or list shortcodes is viewed.
  • Provider: Google — Google Fonts privacy FAQGoogle privacy policy

Stripe (checkout.stripe.com)

  • What it is: Payment processing for Cookie Scout plans, when you use connected checkout from the plugin.
  • What it is used for: Redirecting the administrator to Stripe Checkout when purchasing or upgrading through the Cookie Scout service.
  • What data is sent: Handled by Cookie Scout’s checkout API and Stripe according to their flows; this plugin only redirects the administrator to the checkout URL returned by the service.
  • When it is sent: Only when an administrator starts checkout from the plugin while using connected mode.
  • Provider: Stripe — Stripe legal / privacy

Front-end requests to your own site (scanner / GTM detection)

  • What it is: The plugin may request your site’s public HTML using wp_remote_get() (for example the basic scanner in admin, or optional detection of an existing GTM snippet).
  • What it is used for: Analysing HTML your site already outputs; the plugin does not substitute remote CDNs for its own assets through these requests.
  • What data is sent: A normal HTTP GET to your home_url() as seen by the server (user-agent identifies the plugin).
  • When it is sent: Only when an administrator triggers the relevant tool in wp-admin.

Installation

  1. Upload the plugin to /wp-content/plugins/
  2. Activate the plugin in WordPress
  3. Go to Cookie Scout in the admin and complete the quick setup

FAQ

Does the plugin require an account?

No, the plugin can be used locally without an account.

Are there advanced features?

Yes, advanced features can be enabled separately.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Cookie Scout” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Cookie Scout” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.16

  • Sikkerhed: connect-flow kræver nu nonce-bekræftelse før API-token gemmes; consent JSON saniteres og valideres felt for felt før API-kald.

1.0.15

  • Plugin Check: rettet GTM-notice escaping, sticky form-felter med nonce-verifikation, User-Agent sanitization og Google Fonts enqueue-version.

1.0.14

  • Plugin Check: Tested up to WordPress 7.0; i18n translators-kommentarer rettet; fjernet load_plugin_textdomain; PHPCS-justeringer for templates, adgangskoder og admin GET-flows.

1.0.13

  • Script-blokering: tilføjede faste fallback-regler for betalingsscripts (inkl. ePay/Bambora/Worldline-domæner) som kategoriseres som nødvendige, så checkout kan fungere ved afviste valgfrie cookies.

1.0.12

  • Kompatibilitet: fjernede PHP 8 match i settings-template og erstattede med switch, så parse-fejl på ældre PHP undgås.

1.0.11

  • Banner: større cookie-ikon i den flydende genåbningsknap og CSS der modstår temaers button/svg-skalering; lidt mere plads til banner-logo.

1.0.10

  • Script-blokering: GTM-genkendelse dækker nu server-side / hosted gtm.js (fx eget domæne med ?id=GTM-… eller Stape-vertikaler), så samme consent-regler som for googletagmanager.com GTM gælder og scripts undgår forkert “ukendt”-blokering.

1.0.9

  • Script-blokering: ved genindlæsning med gyldigt samtykke i localStorage anvendes det nu på DOM (iframe-placeholders og blokerede scripts), så fx YouTube vises uden at skulle acceptere igen.

1.0.8

  • Script-blokering: spring server-side buffer over når User-Agent indeholder CookieScoutRemoteScan/1 (backend Playwright-scanner og wp_remote_get i plugin), så scanning ser eksekverbare tags i HTML.

1.0.7

  • Banner: planlæg boot med DOMContentLoaded + kort polling, så init ikke springes over hvis markup kommer efter script (undgår “død” frontend ved visse temaer/cache).

1.0.6

  • Banner: boot kører også hvis DOM allerede er klar (undgår skjult banner når script indlæses sent) — vigtigt for GTM/script-blokering og for eksterne scans.

1.0.5

  • Banner: ensartet bund-padding i cookie-indstillingspanelet (matcher sider/top).

1.0.4

  • dataLayer: udsender også cookie_consent_update (Cookiebot-kompatibelt) ved samtykke, så eksisterende GTM-triggere kan genbruges.

1.0.3

  • Correct Cookie Scout terms/privacy URLs in readme; shortcode return hardening (esc_html__, wp_kses_post); safe shutdown flush for script-blocker output buffer.

1.0.2

  • Stricter escaping (admin UI, banner colours/position), check_ajax_referer on privileged AJAX, hex colour validation, connect-code format check, domain-list documentation, removed inline onclick confirm in favour of enqueued admin JS.

1.0.1

  • Hardened AJAX and checkout return URLs (nonces), improved script loading and output escaping for consent/blocker/GTM, removed frontend “Powered by” credit, admin settings scripts enqueued properly, readme external services documentation.

1.0.0

  • First public release