Script Blocking

Script blocking is ConsentForge's core mechanism for preventing third-party scripts from loading before the user has given consent.

How it works

When ConsentForge loads, it scans the page for scripts with type="text/plain" and data-consent-category. These scripts are inert — browsers won't execute them.

When consent is given for a category, ConsentForge:

Finds all matching <script> tags
Changes type from "text/plain" to "text/javascript"
For external scripts (src attribute): re-creates the <script> element to trigger loading
For inline scripts: evaluates the content via eval() (in a sandboxed context)

Marking scripts for blocking

<!-- External script -->
<script
  type="text/plain"
  data-consent-category="analytics"
  src="https://www.googletagmanager.com/gtag/js?id=G-XXXXX"
></script>

<!-- Inline script -->
<script type="text/plain" data-consent-category="marketing">
  fbq('init', 'YOUR_PIXEL_ID');
</script>

iFrame blocking

iFrames (e.g. YouTube, Vimeo, Google Maps) use data-src instead of src:

<iframe
  data-src="https://www.youtube.com/embed/VIDEO_ID"
  data-consent-category="marketing"
  width="560" height="315"
></iframe>

When consent is given, ConsentForge sets src from data-src, loading the iframe.

What cannot be blocked

Scripts loaded by a tag manager before consent fires (configure GTM with Consent Mode instead)
Server-side tracking (use the ConsentForge API to check consent server-side)
Browser-native features (Service Workers, localStorage — these are controlled by the runtime, not script blocking)

Verification

After setup, open DevTools → Network with "All" filter. Scripts that should be blocked should NOT appear in the network log before the user accepts. After accepting, they should load.

How it works​

Marking scripts for blocking​

iFrame blocking​

What cannot be blocked​

Verification​

How it works

Marking scripts for blocking

iFrame blocking

What cannot be blocked

Verification