Skip to content

Documentation

Auto-Block Third-Party Scripts

Auto-Block Third-Party Scripts

Last updated Mar 24, 2026

Auto-blocking automatically prevents known third-party tracker scripts from loading until the visitor gives consent for the appropriate cookie category. This provides GDPR compliance without needing to manually manage each script.

What Auto-Blocking Does

When enabled, the banner script uses a MutationObserver to watch for new <script> elements being added to the page. Each script's src URL is matched against a list of 30+ known tracker patterns. Matching scripts are neutralised before they can execute - their type is changed to text/plain and their src is removed.

After the visitor consents to the relevant cookie category, the blocked scripts are re-created and allowed to execute normally.

Known Tracker Patterns

The auto-blocker recognises patterns for three categories:

  • Analytics - Google Analytics, Google Tag Manager, Hotjar, Microsoft Clarity, Matomo, Mixpanel, PostHog, and more.
  • Marketing - Facebook Pixel, Google DoubleClick, LinkedIn Insight, TikTok Pixel, HubSpot, Criteo, and more.
  • Functional - Google reCAPTCHA, Google Maps.

How to Enable

In the Banner Editor, go to the Design tab and find the Behaviour section. Toggle Auto-block third-party scripts to on.

Auto-blocking is only active when the consent model is set to opt-in. In opt-out or notice-only modes, scripts are not blocked since consent is implied.

Best Practice: Load c.js First

For the most effective blocking, load the Kukie.io banner script (c.js) synchronously in the <head> of your page, before any other scripts. This ensures the MutationObserver is active before third-party scripts are parsed.

<!-- Load Kukie.io first for best auto-blocking -->
<script src="https://app.kukie.io/c.js" data-site-key="YOUR_KEY"></script>
<!-- Other scripts below -->

Important: Scripts that are already in the HTML and execute synchronously before c.js loads cannot be blocked. For best results, load c.js without the async attribute when using auto-blocking.

Limitations

  • Inline scripts (without a src attribute) are not matched against tracker patterns.
  • Scripts loaded before c.js initialises will have already executed.
  • Dynamically created scripts that do not use standard DOM insertion may bypass the observer.
Previous

Script Centre
Next

iFrame Blocking & Placeholders
Was this helpful?