=== CookieBoxs - GDPR/CCPA Cookie Consent & Google Consent Mode v2 ===
Contributors: visionsolutions
Donate link: https://visionsolutions.pl/
Tags: cookie consent, gdpr, ccpa, cookie banner, google consent mode
Requires at least: 6.2
Tested up to: 7.0
Stable tag: 3.3.10
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Cookie consent plugin for managing visitor consent with Google Consent Mode v2, script blocking, content blockers, and optional integrations.

== Description ==

CookieBoxs is a cookie consent plugin for WordPress that helps site owners manage visitor consent preferences and configure consent-aware integrations.

Free features include:

* Google Consent Mode v2 support
* Automatic script blocker and cookie cleaner
* 25+ built-in integrations
* Content blockers for embedded media and maps
* 40 interface languages
* Region presets
* Consent logging in WordPress
* Floating settings badge
* Self-hosted plugin files

Optional PRO features include two-phase Cookie Scanner (server + browser-based detection), geo-targeting, additional templates, cookie declaration, consent analytics, tamper-proof consent records with CSV export and printable certificates, A/B testing of banner variants, granular per-service consent, a live banner design editor, branding options, and custom CSS.

Documentation: [cookieboxs.com](https://cookieboxs.com)

== Installation ==

1. Upload the `cookieboxs` folder to the `/wp-content/plugins/` directory.
2. Activate the plugin in WordPress.
3. Go to Settings -> CookieBoxs.
4. Choose your language and region preset.
5. Configure the integrations you want to use.
6. Save your settings.

== Frequently Asked Questions ==

= Does it include Google Consent Mode v2? =

Yes.

= Does the plugin guarantee legal compliance? =

No. CookieBoxs is a technical tool that can help with consent management and privacy-related configuration. Site owners remain responsible for reviewing their legal obligations, policies, and third-party services.

= Does it block scripts before consent? =

The plugin includes an automatic script blocker and cookie cleaner. Built-in integrations are designed to load according to their assigned consent category. Google Tag Manager may load earlier and rely on Consent Mode signals, depending on configuration.

= Can I customize the banner text? =

Yes. Banner text, category labels, and descriptions can be customized in the plugin settings.

= How do I add custom scripts? =

Go to Settings -> CookieBoxs -> Custom Scripts and assign the script to a consent category.

= Is it compatible with caching plugins and page builders? =

CookieBoxs is designed to work with common caching plugins and standard WordPress themes and builders.

= Does it support multisite? =

Yes.

= How do I show a link to reopen cookie settings? =

Use the shortcode `[cookieboxs_settings]` or enable the floating badge.

== Screenshots ==

1. Cookie consent banner
2. Dark theme banner
3. Settings panel
4. General settings
5. Integrations settings
6. Google Consent Mode v2 settings
7. Appearance settings
8. Floating badge
9. Content blocker placeholder

== Changelog ==

= 3.3.10 =
* Fixed (license activation): the plugin now sends license activation/validation/deactivation requests to the licensing API as JSON (application/json) instead of form-encoded. Some servers/firewalls (e.g. openresty) reject the form-encoded body with an HTTP 415 "Unsupported Media Type" error, which made activation fail with a misleading message. JSON is accepted everywhere and the API reads the same parameters.

= 3.3.9 =
* Improved: PRO license activation now shows a real diagnostic when it fails, instead of a generic "Invalid license key". If the connection is blocked it shows the actual transport error (timeout / DNS / outbound-firewall / SSL); if a firewall or host returns a block page it shows the real HTTP status code plus a short snippet of that page (which usually names the firewall/host doing the blocking). Makes "why won't my key activate" self-explanatory on locked-down hosts.
* Fixed: no more brief "flash" of the banner on page load for returning (already-consented) visitors. The banner and overlay are now hidden by default and revealed by JavaScript only when consent is still needed. This is flash-proof even behind page optimizers such as Cloudflare Rocket Loader, which defer scripts and previously let the banner appear for a moment before it was hidden. Removed the old inline "instant-hide" script that such optimizers delayed.

= 3.3.8 =
* Fixed: the banner's "Details" tab now shows the full cookie scan. It reads the complete (browser-rendered) scan results, so cookies loaded via Google Tag Manager / JavaScript — e.g. Google Ads (_gcl_au) and the full Analytics set — are listed under the right category instead of being missed. The detailed scan and the banner are kept in sync.
* Fixed (important): the banner could keep reappearing after clicking Accept on sites where another script (a broken gtag/dataLayer/pixel from a different plugin) threw an error during the consent save — the close + reload step was skipped. Consent is now persisted and the banner is closed immediately, before any third-party integration runs, and all integration calls are isolated so they can never block the consent flow.
* Improved: consent is now also mirrored to localStorage as a fallback, so the choice survives even when cookies are stripped by a host/CDN or blocked by the browser (the banner stays dismissed). The instant-hide and the "change settings" reset honor it too.

= 3.3.7 =
* Fixed (critical): enabling Google Maps under Blocking could blank the entire page content on posts/pages that ran through the_content. An unescaped slash in the "google.com/maps" match pattern broke the regex, so the content filter returned nothing. The pattern is now escaped correctly and the filter can never return empty content (it falls back to the original content if anything goes wrong).
* Fixed: the floating badge icon selector now actually works — Cookie, Gear, Shield, Lock and Fingerprint each render their own crisp icon, and the icon size is now protected against theme CSS that previously distorted it.
* Added (PRO): upload your own badge icon — paste custom SVG markup under Badge settings to replace the built-in icon. Sanitized through a strict allowlist (no scripts, event handlers or external references).
* Added (PRO): a `cookieboxs_banner_template` filter so developers can ship a fully custom banner template (your own markup/classes, styled freely from your stylesheet). The path is validated and safely falls back to the bundled template.
* Added (PRO): "Minimal CSS mode" toggle (Design tab) — one switch for developer styling. When ON it applies your Custom CSS and strips the banner's built-in cosmetic !important (colors, borders, radius, shadow, spacing, fonts) so your CSS fully controls the look without swapping the template. When OFF the banner uses only its built-in design and the Custom CSS is ignored (clean revert). Positioning, stacking and visibility always stay protected. The live design preview reflects your Custom CSS in real time while this mode is on.
* Added (PRO): a built-in CSS selector cheat-sheet under the Custom CSS box (Design tab), so you can style the banner without opening the browser console.
* Fixed: the corner branding / white-label logo no longer overlaps the title text in some layouts — it now floats so the text wraps cleanly around it, and a wide company logo is scaled to fit (aspect ratio preserved).

= 3.3.6 =
* Compliance: renamed the design editor's internal JavaScript globals to the cookieboxs- prefix (guideline: unique prefixes), sanitized the logging-toggle AJAX input, fully prepared all consent-record queries via the %i identifier placeholder (with explicit phpcs annotations), and escaped a banner output value at the point of output. No functional changes.
* Added (PRO): full banner design editor parity — one-click style presets (incl. a full-width bottom "bar", dark and sidebar layouts), a 3x3 position grid plus full-width Top/Bottom bar buttons, a width slider, screen backdrop (none/dim/blur), and segmented controls for font, shadow, spacing, buttons and animation. Two-column layout with a sticky live preview and an in-panel "Save changes" button.
* Improved (PRO): the live preview now reproduces the frontend 1:1 (real template CSS), so the shadow and corner-radius controls are reflected immediately; "Match my site" normalizes the detected color and confirms when applied.
* Fixed (PRO): the frontend now honors the custom background and text colors from the design editor / presets (e.g. the Dark preset renders a dark banner), with light/dark UI accents derived from the background.
* Fixed (PRO): the Sidebar layout is now a true full-height panel on desktop.
* Improved (PRO): A/B testing — Variant B can now also override the banner description (text A/B), and you can preview a specific variant on any page with ?cb_ab=A or ?cb_ab=B.
* Improved: clicking the floating settings badge now re-opens the preferences panel with the visitor's current choices, instead of clearing consent and reloading.
* Added: a one-time review request notice after ~30 days; other plugins' admin notices are hidden on the CookieBoxs settings screen to keep it clean.
* Added: consent-logging can be toggled directly from the Analytics tab (instant save), and the cookie scanner checklist now has tooltips and fix links.
* Security: custom-script fields are now editable only by users with the unfiltered_html capability — non-privileged saves (e.g. Multisite site admins) can no longer inject executable JavaScript that runs for visitors.
* Hardening: consent-record queries are fully prepared via the %i identifier placeholder, the logging-toggle AJAX input is sanitized, and a banner output value is escaped at the point of output.

= 3.2.0 =
* Added (PRO): Consent Records — a tamper-proof proof-of-consent log. Each consent stores a unique token, the chosen categories, the banner and policy version it was given against, a hashed IP, country, language and timestamp. Browse with date/method filters, export to CSV (with formula-injection protection), and open a printable consent certificate for any record. A configurable retention period deletes old records automatically (GDPR storage limitation), and records can be deleted individually or in bulk.
* Added (PRO): A/B testing of the cookie banner. Visitors are split 50/50 (sticky per visitor) between Variant A (your live banner) and Variant B (an override of the title, accept-button text and accept-button color). The variant is recorded with each consent and the dashboard shows the accept-all rate per variant, the winner and the relative lift — so you can optimise opt-in rates with real data.
* Added (PRO): banner design editor. A dedicated Design tab with a real-time live preview and an "Appearance & Buttons" panel — choose a font (system/geometric/serif/rounded/mono/condensed, no Google CDN), shadow depth, spacing, button style (filled/outline/soft/pill), reject-button style (outline/ghost/link), button size, layout (row/stacked/full width), corner radius, uppercase, accept-button text color, and an entrance animation (fade/slide/scale, honoring prefers-reduced-motion). A one-click "Match my site" pulls a brand color from your theme (theme.json palette or Customizer). Every default reproduces the previous look exactly, so existing sites are unchanged until you edit something.
* Added (PRO): granular per-service consent. With it on, the "Customize" modal lists each configured integration with its own toggle under its category, so visitors can allow some services and deny others within the same category (e.g. allow Google Analytics but deny Hotjar). A category master toggle still selects/clears all of its services at once. Gating is client-side, so it stays compatible with page caching, and old consent cookies keep working (category-level decision applies until the visitor updates their choice).
* Improved: automatic language detection (free). A fresh install now picks the banner language from your WordPress site language (Settings -> General) instead of a fixed default, and on a single-language site (no Polylang/WPML/TranslatePress) the banner follows the WordPress site language automatically — e.g. a German WordPress shows a German banner out of the box. The "Auto-detect language" toggle on the General tab is now always available, so you can switch back to a fixed language at any time. Any banner wording you customized is always preserved.
* Security: the consent-logging endpoint is rate-limited per hashed IP; the banner/policy version, consent token and A/B variant are all stamped server-side (never trusted from the client); the method, language and A/B variant are whitelisted; and the source URL is verified against your own site host.
* Note: Consent Records, A/B testing and granular per-service consent are PRO features. Automatic language detection is free.

= 3.1.0 =
* Added: 29 new interface languages, bringing the total to 40. New languages: Turkish, Russian, Japanese, Chinese (Simplified), Danish, Finnish, Norwegian, Greek, Romanian, Hungarian, Slovak, Slovenian, Bulgarian, Croatian, Estonian, Latvian, Lithuanian, Irish, Indonesian, Arabic, Korean, Hebrew, Maltese, Vietnamese, Thai, Hindi, Persian (Farsi), Malay, Serbian. CookieBoxs now ships complete translations (392 strings each) for all 24 official EU languages plus major global languages (Asia, Middle East) — no cloud, no external translation service, all bundled locally.
* Added: right-to-left (RTL) layout support. When the banner language is Arabic, Hebrew or Persian, the banner and settings modal automatically render with dir="rtl".
* Added: multilingual compatibility. When Polylang, WPML, TranslatePress or qTranslate-XT is active, the banner automatically follows the language of the page each visitor is viewing (e.g. /fr/ shows the French banner, /de/ the German one). The fixed language in settings becomes the fallback. A toggle on the General tab lets you turn auto-detection off, and a `cookieboxs_current_language` filter is available for custom setups.
* Tested: full compatibility with WordPress 7.0.
* Note: translations for smaller languages (Maltese, Irish, Baltic) are a best effort — community corrections are welcome via the support forum.

= 3.0.14 =
* Removed: noisy "we disabled features for you" admin notice that 3.0.9 shipped after the auto-migration of `script_blocker` / `block_youtube` / `block_vimeo` / `block_maps`. The notice was sticky on every admin screen until dismissed, which became annoying. Settings → Blockers now carries a red warning card (added in 3.0.13) that explains the same information in-context, so the global banner is no longer needed.
* Cleanup: the `cookieboxs_show_3_0_9_migration_notice` option is now deleted on upgrade so leftover flags from previous installs don't accumulate. Removed `show_3_0_9_migration_notice()` and `maybe_dismiss_migration_notice()` methods together with their hooks (`admin_notices`, `admin_init` for dismiss).

= 3.0.13 =
* UX: redesigned the Automatic Script Blocker card in Settings → Blockers and in the setup wizard. The card now has a red warning frame instead of the previous indigo "recommended" frame, the toggle label reads "NOT recommended" in red, and a prominent multi-line warning explains that the feature can prevent parts of the page from rendering (especially with page builders like Elementor or caching plugins like LiteSpeed/WP Rocket) and that it must be tested on staging before enabling in production.
* Defaults: the wizard checkbox is now unchecked by default, the wizard form handler stores `script_blocker = false` for fresh installs, and the wizard summary screen no longer mis-reports the off state as a problem (it now shows "✗ Off (recommended)" in neutral grey).
* Translated: 2 new translation keys (`sb_warning`, `sb_not_recommended`) added to all 11 language files. The warning is fully localised in English, Polish, German, French, Spanish, Italian, Dutch, Czech, Portuguese, Swedish and Ukrainian.

= 3.0.12 =
* Fixed: Plugin Check warning `upgrade_notice_limit` — the Upgrade Notice entries for 3.0.8, 3.0.9 and 3.0.10 exceeded the 300-character limit set by WordPress.org. The text has been trimmed without losing the essential information.

= 3.0.11 =
* Hardening: wrapped 7 ternary-string `echo` expressions in `templates/admin.php` with `esc_attr()` or `esc_html()` even though they return hardcoded literal CSS classes / glyphs. Defends against future code changes that might accidentally let user data flow into those expressions, and satisfies the strict "escape every echo" rule enforced by WordPress.org Plugin Check.
* Hardening: when the cookie scanner extracts a `cookieboxsIntegrations = {...}` JSON fragment from the homepage HTML (the homepage is fetched server-side via `wp_remote_get()`), the fragment is now passed through `sanitize_text_field()` before `json_decode()`. The output is still gated by an `is_array()` check and only scalar keys are read, but the extra sanitization makes the defensive intent explicit.

= 3.0.10 =
* Fixed: per-category custom code textareas (Necessary / Functional / Analytics / Marketing) silently dropped any snippet that included the surrounding `<script>` tags. Site owners who copied the full official snippet from the provider's documentation (e.g. Microsoft Clarity, Google Analytics, Hotjar, Tawk.to) would see no error but the tracker would never run, because the JavaScript body was passed to `new Function()` together with literal `<script>` text which causes a SyntaxError. The plugin now strips the wrappers (and legacy HTML comment / CDATA markers) before evaluation, so BOTH formats — pure JS body OR full `<script>…</script>` snippet — work.
* Added: Google Ads "Conversion label" input field under the Google Ads ID input on the Integrations tab. The `int_gads_label` option had been stored and passed to the frontend conversion event since earlier releases but there was no UI to set it. Translated label placeholder added to all 11 language files.
* Improved: custom-code textarea placeholders now show concrete copy-paste examples (Microsoft Clarity snippet on the Analytics card) and the category headings on the custom-scripts tab are properly translated instead of being hardcoded in Polish.

= 3.0.9 =
* Fixed: Auto Script Blocker and the YouTube/Vimeo/Google Maps embed blockers were reported to break page rendering on sites that combine Elementor (4.x) with LiteSpeed Web Server / WP Rocket / other complex caching setups. The visible symptom was an empty hero / content area while the header and footer rendered normally.
* Migration: when a site updates from 3.0.7 or 3.0.8 to 3.0.9, the four problem options (`script_blocker`, `block_youtube`, `block_vimeo`, `block_maps`) are force-disabled. The cookie banner, Google Consent Mode v2, integrations and consent logging keep working as before. A one-time dismissible admin notice (translated to all 11 languages) explains the change and links to Settings where the options can be re-enabled after testing on staging.
* Added: `cookieboxs_db_version` option to track the last-migrated plugin version so future migrations run exactly once per upgrade, even when WordPress updates the plugin in place without firing `register_activation_hook`.
* Translated: 3 new translation keys (`migration_3_0_9_notice`, `migration_3_0_9_button_settings`, `migration_3_0_9_button_dismiss`) added to all 11 language files (389 keys total per file).

= 3.0.8 =
* Fixed: site rendering as "footer only" or blank after activation when a page builder or full-page cache plugin was active. The automatic script blocker now records its output buffer level and verifies stack alignment on shutdown, so it never closes a buffer that belongs to another plugin or theme.
* Fixed: structural bug in 9 language files (cs, de, es, fr, it, nl, pt, sv, uk) — five wizard keys (wiz_gcm_enable, wiz_gcm_info, wiz_recommended, wiz_sb_enable, wiz_sb_info) were stored at top level but read from admin.* by the plugin, so existing translations were silently ignored. Keys moved to admin.* in all affected files.
* Translated: filled all missing translations in 8 language files — fr (83), es (119), it (119), nl (130), cs (135), pt (135), sv (135), uk (135). All 11 languages now ship at 100% coverage. Brand and industry-standard names (Google Maps, Google Consent Mode v2, White Label, Marketing, Retargeting, Powered by CookieBoxs) are preserved as-is.
* Fixed: 46 hardcoded Polish strings in PHP and JavaScript files (cookieboxs.php, templates/admin.php, templates/banner.php, templates/news.php, assets/js/cookieboxs-admin.js) were appearing regardless of the user's language selection. Replaced with translation keys read from the language JSON files. 70 cookie scanner descriptions normalised to English (industry standard, matching Cookiepedia/Termly conventions).
* Translated: 26 new translation keys added to all 11 language files (386 keys total per file). Covers license activation messages, badge appearance options, scanner UI, GCM notices, news widget and Pixel-plugin detection notice.
* Improved: cookie scanner now detects Facebook/Meta Pixel installations made through dedicated manager plugins (PixelYourSite Free/Pro, Pixel Manager for WooCommerce, Official Facebook Pixel, Meta for WooCommerce, Pixel Cat, Pixel Caffeine, WP Pixel Manager, Webby Pixel Master). When one of these plugins is active, _fbp, _fbc and fr cookies are added to the detected list — even if the Pixel snippet is loaded indirectly (via GTM or after consent) and would not appear in the HTML-only scan. Applies to both the free and PRO scanners.
* Added: post-scan notice that lists detected Pixel manager plugins so site owners know which plugin is responsible for the marketing cookies.
* Fixed: script blocker was corrupting its own `data-cookieboxs-src` attribute. The regex that strips the original `src=` from a blocked script tag also matched `src=` inside the freshly injected `data-cookieboxs-src=` attribute (because the hyphen counts as a word boundary in PCRE), leaving a truncated `data-cookieboxs-` and no URL. The result was that blocked third-party scripts (jsBarcode for WooCommerce product barcodes, TrustIndex review widget, etc.) could never be restored after the visitor accepted cookies — leading to "the page is missing parts" reports. Operations are now reordered: strip the original `src=` first, then inject the new attributes.
* Improved: cookie blocker now recognises common UI / functional JavaScript libraries served from generic CDNs (jsBarcode, QRCode, Swiper, Owl Carousel, Slick, jQuery, Lodash, Popper, Moment, lazysizes, Flickity, AOS, Lightbox/Fancybox, Leaflet, Chart.js, etc.) and routes them to the `functional` consent category instead of the default `marketing` bucket. Visitors who decline marketing cookies will keep seeing product barcodes, sliders and other display features.
* Added: `cookieboxs_default_unknown_category` filter so site owners can change the fallback category for unknown external scripts (default remains `marketing` for GDPR safety).
* Added: automatic detection of incompatible output-filtering plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache, WP Super Cache, Autoptimize, Hummingbird, WP-Optimize, Cache Enabler, Breeze, SG Optimizer, Powered Cache, FlyingPress, NitroPack, Perfmatters). When one of these is active, the automatic script blocker is skipped and consent is enforced through the standard category gating instead.
* Added: `cookieboxs_disable_script_blocker` filter so site owners and other plugins can opt out of the automatic blocker per request.
* Changed: automatic script blocker now defaults to OFF for new installs and for upgrades from versions that did not have the option. Existing users keep their current setting.

= 3.0.7 =
* Added two-phase Cookie Scanner: server-side HTML detection + browser-based JavaScript cookie detection via hidden iframe.
* Browser scan detects cookies set by GTM-loaded scripts (Meta Pixel, TikTok Pixel, etc.) that server-side scanning cannot see.
* Expanded cookie detection patterns: 55+ known cookies from 30+ providers.
* Added PRO tools including geo-targeting, additional templates, declaration, analytics, branding controls, and custom CSS.
* Improved PRO settings UI.
* Bundled Chart.js locally for PRO analytics.
* Fixed settings-saving issues across PRO sub-tabs.
* Improved WordPress coding standards compliance.

= 3.0.6 =
* Added automatic script blocker and cookie cleaner.
* Added optional PRO licensing, analytics, and export tools.
* Removed non-functional placeholder integrations from the admin UI.

= 3.0.5 =
* Rebranded the plugin from CookieBox to CookieBoxs.
* Updated plugin naming, URLs, and internal handles.

== Upgrade Notice ==

= 3.2.0 =
Adds PRO features: tamper-proof Consent Records (CSV export, printable certificates, auto-retention), banner A/B testing (accept rate, winner, lift) and granular per-service consent. Security-hardened consent logging. The free plugin is unchanged.

= 3.1.0 =
Adds 29 new languages (40 total), RTL support (Arabic/Hebrew/Persian), automatic Polylang/WPML/TranslatePress language detection, and WordPress 7.0 compatibility. Recommended for all users, especially multilingual and non-English sites.

= 3.0.14 =
Removes the sticky "we disabled features for you" admin notice that 3.0.9 shipped — the same information is now shown in-context on the Settings → Blockers card (red warning frame added in 3.0.13). Cleans up the leftover DB flag.

= 3.0.13 =
Auto Script Blocker is now clearly marked as risky (red warning frame, "NOT recommended" label, multi-line warning about page builder/cache conflicts) and is unchecked by default in the setup wizard. Warning text translated into all 11 languages.

= 3.0.12 =
Trims overly long Upgrade Notice entries to satisfy the WordPress.org 300-character limit. No code changes.

= 3.0.11 =
Security hardening release: every `echo` expression in the admin UI is now wrapped with the appropriate escaping function, and one `json_decode()` call that consumed scraped HTML is preceded by `sanitize_text_field()`. No user-visible changes; no behavior changes.

= 3.0.10 =
Fixes silent failure of pasted tracker snippets (Microsoft Clarity, GA, Hotjar) in per-category custom code textareas — `<script>` wrappers are now stripped before evaluation. Adds missing UI field for Google Ads conversion label.

= 3.0.9 =
Critical update. Fixes "empty hero / content area" bug on Elementor + LiteSpeed / WP Rocket sites by auto-disabling Auto Script Blocker and YouTube/Vimeo/Maps embed blockers on upgrade. Cookie banner and integrations keep working. Strongly recommended for page builder users.

= 3.0.8 =
Fixes "only the footer renders" / blank-page issue with some page builders and cache plugins. Auto script blocker now bails out safely on incompatible caches and defaults to OFF for new installs. All 11 languages now at 100% coverage.

= 3.0.7 =
Adds two-phase cookie scanner (server + browser-based detection for GTM-loaded scripts), 55+ known cookie patterns, and optional PRO tools including geo-targeting, templates, analytics, declaration, and branding.

== Source Code ==

All JavaScript and CSS files included in this plugin are human-readable and not minified or compiled. No build tools (npm, webpack, composer) are required to work with this plugin's source code. All plugin-authored JavaScript and CSS is written directly and included as-is.

Third-party libraries and embed snippets:

* `assets/js/chart.min.js` — Chart.js library (MIT License). Source code and unminified version available at: https://github.com/chartjs/Chart.js

* `assets/js/cookieboxs-consent-mode.js` — Contains standard third-party integration embed snippets (e.g., Google Tag Manager, Meta Pixel, TikTok Pixel, Microsoft Clarity, Hotjar, LiveChat, Intercom, etc.). These are the official JavaScript snippets provided by each service for website embedding, written in their standard compact form. Each snippet includes a source URL comment pointing to the official documentation. A full list of source URLs is also available in the file header comments. The surrounding plugin logic (consent state management, Google Consent Mode v2 setup, custom script injection) is authored by this plugin and is fully human-readable.

Official documentation URLs for all embedded third-party snippets:

* Google Tag Manager: https://developers.google.com/tag-platform/tag-manager/web
* Meta Pixel: https://developers.facebook.com/docs/meta-pixel/get-started
* TikTok Pixel: https://ads.tiktok.com/help/article/get-started-pixel
* Microsoft Clarity: https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-setup
* Hotjar: https://help.hotjar.com/hc/en-us/articles/115011639927
* Heap Analytics: https://developers.heap.io/docs/web
* Mixpanel: https://docs.mixpanel.com/docs/tracking-methods/sdks/javascript
* PostHog: https://posthog.com/docs/libraries/js
* LinkedIn Insight Tag: https://learn.microsoft.com/en-us/linkedin/marketing/integrations/ads-reporting/insight-tag
* Pinterest Tag: https://help.pinterest.com/en/business/article/install-the-pinterest-tag
* Snapchat Pixel: https://businesshelp.snapchat.com/s/article/snap-pixel-about
* Twitter/X Pixel: https://business.x.com/en/help/campaign-measurement-and-analytics/conversion-tracking-for-websites
* Microsoft Advertising UET: https://help.ads.microsoft.com/apex/index/3/en/56682
* LiveChat: https://developers.livechat.com/docs/getting-started/installing-livechat
* Crisp: https://docs.crisp.chat/guides/chatbox-sdks/web-sdk/
* Tawk.to: https://help.tawk.to/article/adding-a-tawk-to-widget-to-your-website
* Intercom: https://developers.intercom.com/installing-intercom/web/installation
* Yandex Metrica: https://yandex.com/support/metrica/code/counter-initialize.html
* Matomo: https://developer.matomo.org/guides/tracking-javascript-guide

== Privacy Policy ==

CookieBoxs does not send visitor consent records to the plugin author's servers.

Consent records are stored in the WordPress database. Optional third-party integrations that you configure, such as analytics, advertising, chat, or embedded media services, connect directly from the visitor's browser to those third-party providers after the relevant consent conditions are met.

Admin-only connections used for plugin news, optional deactivation feedback, or optional license validation are described below.

== External Services ==

This plugin uses external services only for user-configured integrations. Third-party integrations are optional, disabled by default, and only activated when the site administrator enables and configures them. The plugin does not offload any of its own assets (JavaScript, CSS, images) to external servers — all plugin files are included locally.

= Plugin services =

* **VisionSolutions API - plugin news and updates**: used in the admin area only; sends plugin version, WordPress version, and site language when an administrator opens the settings page. Provider: VisionSolutions, https://visionsolutions.pl
  Terms of use: https://visionsolutions.pl/regulamin/
  Privacy policy: https://visionsolutions.pl/polityka-prywatnosci/

* **VisionSolutions API - deactivation feedback (optional)**: sends selected reason, optional comment, site URL, WordPress version, and PHP version only if an administrator submits feedback during deactivation. Provider: VisionSolutions
  Terms of use: https://visionsolutions.pl/regulamin/
  Privacy policy: https://visionsolutions.pl/polityka-prywatnosci/

* **VisionSolutions API - PRO license validation (optional)**: sends license key, site domain, and plugin version on activation and periodic validation. Provider: VisionSolutions
  Terms of use: https://visionsolutions.pl/regulamin/
  Privacy policy: https://visionsolutions.pl/polityka-prywatnosci/

* **ipapi.co geolocation API (optional, PRO)**: used only when geo-targeting is enabled and fallback geolocation is needed; sends visitor IP address. Provider: ipapi
  Terms of use: https://ipapi.co/terms/
  Privacy policy: https://ipapi.co/privacy/

* **Cookie Scanner (admin-initiated, PRO)**: two-phase scan. Phase 1 (server): sends requests from your server to your own website pages to detect cookies and tracking scripts from HTML. Phase 2 (browser): loads the scanned page in a hidden iframe within the administrator's browser to detect cookies set by JavaScript (e.g. pixels loaded via Google Tag Manager). All scanning happens locally — no external provider is contacted.

= Optional integrations (services) =

These are third-party services that the site administrator can optionally enable. When enabled, the plugin loads the official embed snippet provided by each service, which connects the visitor's browser directly to that service provider. These are service integrations, not offloaded plugin assets. Each integration is disabled by default and only activates when the administrator provides their account ID.

* **Google Tag Manager** - tag management service; may load on page view and use Consent Mode signals. Loaded from: www.googletagmanager.com. Provider: Google LLC.
  Terms of use: https://marketingplatform.google.com/about/analytics/terms/us/
  Privacy policy: https://policies.google.com/privacy

* **Google Analytics 4** - analytics service; loaded from www.googletagmanager.com/gtag/js via wp_enqueue_script. Provider: Google LLC.
  Terms of use: https://marketingplatform.google.com/about/analytics/terms/us/
  Privacy policy: https://policies.google.com/privacy

* **Google Ads** - conversion tracking and remarketing service; loaded from www.googletagmanager.com/gtag/js via wp_enqueue_script. Provider: Google LLC.
  Terms of use: https://ads.google.com/intl/en/home/terms/
  Privacy policy: https://policies.google.com/privacy

* **Meta Pixel** - advertising measurement service; loaded from connect.facebook.net. Provider: Meta Platforms, Inc.
  Terms of use: https://www.facebook.com/legal/terms
  Privacy policy: https://www.facebook.com/privacy/policy/

* **TikTok Pixel** - advertising measurement service; loaded from analytics.tiktok.com. Provider: TikTok Inc. / ByteDance Ltd.
  Terms of use: https://ads.tiktok.com/i18n/official/policy/business-products-terms
  Privacy policy: https://www.tiktok.com/legal/privacy-policy

* **Microsoft Clarity** - session analytics and heatmaps service; loaded from www.clarity.ms. Provider: Microsoft Corporation.
  Terms of use: https://clarity.microsoft.com/terms
  Privacy policy: https://privacy.microsoft.com/en-us/privacystatement

* **Hotjar** - heatmaps, recordings, and feedback service; loaded from static.hotjar.com. Provider: Hotjar Ltd.
  Terms of use: https://www.hotjar.com/legal/policies/terms-of-service/
  Privacy policy: https://www.hotjar.com/legal/policies/privacy/

* **Matomo** - analytics service; loaded from the site administrator's configured Matomo instance URL. Provider: InnoCraft Ltd. or the site owner's Matomo host.
  Terms of use: https://matomo.org/matomo-cloud-terms-of-service/
  Privacy policy: https://matomo.org/matomo-cloud-privacy-policy/

* **Yandex Metrica** - analytics service; loaded from mc.yandex.ru. Provider: Yandex LLC.
  Terms of use: https://yandex.com/legal/metrica_termsofuse/
  Privacy policy: https://yandex.com/legal/confidential/

* **Heap Analytics** - analytics service; loaded from cdn.heapanalytics.com. Provider: Heap Inc.
  Terms of use: https://heap.io/legal/heap-terms-of-service
  Privacy policy: https://heap.io/legal/privacy

* **Mixpanel** - analytics service; loaded from cdn.mxpnl.com. Provider: Mixpanel, Inc.
  Terms of use: https://mixpanel.com/legal/terms-of-use/
  Privacy policy: https://mixpanel.com/legal/privacy-policy/

* **PostHog** - analytics and feature flags service; loaded from the site administrator's configured PostHog host. Provider: PostHog, Inc.
  Terms of use: https://posthog.com/terms
  Privacy policy: https://posthog.com/privacy

* **LinkedIn Insight Tag** - advertising measurement service; loaded from snap.licdn.com. Provider: LinkedIn Corporation.
  Terms of use: https://www.linkedin.com/legal/l/li-marketing-terms
  Privacy policy: https://www.linkedin.com/legal/privacy-policy

* **Pinterest Tag** - advertising measurement service; loaded from s.pinimg.com. Provider: Pinterest, Inc.
  Terms of use: https://policy.pinterest.com/en/terms-of-service
  Privacy policy: https://policy.pinterest.com/en/privacy-policy

* **Snapchat Pixel** - advertising measurement service; loaded from sc-static.net. Provider: Snap Inc.
  Terms of use: https://snap.com/en-US/terms
  Privacy policy: https://snap.com/en-US/privacy/privacy-policy

* **Twitter/X Pixel** - advertising measurement service; loaded from static.ads-twitter.com. Provider: X Corp.
  Terms of use: https://twitter.com/en/tos
  Privacy policy: https://twitter.com/en/privacy

* **Microsoft Advertising UET** - conversion tracking service; loaded from bat.bing.com. Provider: Microsoft Corporation.
  Terms of use: https://about.ads.microsoft.com/en-us/policies/legal
  Privacy policy: https://privacy.microsoft.com/en-us/privacystatement

* **Intercom** - customer messaging service; loaded from widget.intercom.io and api-iam.intercom.io. Provider: Intercom, Inc.
  Terms of use: https://www.intercom.com/legal/terms-and-policies
  Privacy policy: https://www.intercom.com/legal/privacy

* **LiveChat** - support chat service; loaded from cdn.livechatinc.com. Provider: LiveChat, Inc.
  Terms of use: https://www.livechat.com/legal/terms-of-service/
  Privacy policy: https://www.livechat.com/legal/privacy-policy/

* **Crisp** - customer messaging and chat service; loaded from client.crisp.chat. Provider: Crisp IM SAS.
  Terms of use: https://crisp.chat/en/terms/
  Privacy policy: https://crisp.chat/en/privacy/

* **Tawk.to** - support chat service; loaded from embed.tawk.to. Provider: Tawk.to Ltd.
  Terms of use: https://www.tawk.to/legal/terms-of-service/
  Privacy policy: https://www.tawk.to/legal/privacy-policy/

= Script blocker safe domains =

The automatic script blocker does not block scripts from essential service domains (payment gateways, CAPTCHAs, translation). These domains are whitelisted so the script blocker does not interfere with site-critical functionality provided by other plugins or themes. The CookieBoxs plugin itself does not load any files from these domains — they are only whitelisted to prevent breakage:

* **Stripe** - payment processing service; loaded by other plugins from js.stripe.com and checkout.stripe.com. Provider: Stripe, Inc.
  Terms of use: https://stripe.com/legal/ssa
  Privacy policy: https://stripe.com/privacy

* **PayPal** - payment processing service; loaded by other plugins from www.paypal.com and www.paypalobjects.com. Provider: PayPal Holdings, Inc.
  Terms of use: https://www.paypal.com/us/legalhub/useragreement-full
  Privacy policy: https://www.paypal.com/us/legalhub/privacy-full

* **Google reCAPTCHA** - spam protection service; loaded by other plugins from recaptcha.net. Provider: Google LLC.
  Terms of use: https://policies.google.com/terms
  Privacy policy: https://policies.google.com/privacy

* **hCaptcha** - spam protection service; loaded by other plugins from js.hcaptcha.com. Provider: Intuition Machines, Inc.
  Terms of use: https://www.hcaptcha.com/terms
  Privacy policy: https://www.hcaptcha.com/privacy

* **Cloudflare Turnstile** - bot protection service; loaded by other plugins from challenges.cloudflare.com. Provider: Cloudflare, Inc.
  Terms of use: https://www.cloudflare.com/terms/
  Privacy policy: https://www.cloudflare.com/privacypolicy/

* **Google Translate** - translation service widget; loaded by other plugins from translate.google.com and translate.googleapis.com. Provider: Google LLC.
  Terms of use: https://policies.google.com/terms
  Privacy policy: https://policies.google.com/privacy

= Content blockers =

Content blockers are an optional feature that replaces embedded third-party media (YouTube, Vimeo, Google Maps) with a placeholder until the visitor grants consent. When consent is given, the embed loads normally from the service provider.

* **YouTube** - video embeds can be blocked until consent; loaded from www.youtube.com and www.youtube-nocookie.com. Provider: Google LLC.
  Terms of use: https://www.youtube.com/t/terms
  Privacy policy: https://policies.google.com/privacy

* **Vimeo** - video embeds can be blocked until consent; loaded from player.vimeo.com and vimeo.com. Provider: Vimeo, Inc.
  Terms of use: https://vimeo.com/terms
  Privacy policy: https://vimeo.com/privacy

* **Google Maps** - map embeds can be blocked until consent; loaded from www.google.com/maps and maps.googleapis.com. Provider: Google LLC.
  Terms of use: https://cloud.google.com/maps-platform/terms
  Privacy policy: https://policies.google.com/privacy
