diff --git a/CHANGELOG.md b/CHANGELOG.md index 351dcd9..4432a1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ All notable changes to Warder Cookie Consent are documented here. +## [2.1.0] - 2026-05-30 + +### Added +- `warder_block_script_until_consent()` — a `script_loader_tag` filter that rewrites known analytics/marketing script tags to `type="text/plain" data-category=""` before consent is given. vanilla-cookieconsent holds these scripts and re-executes them once the user accepts the matching category. Built-in handles: `sourcebuster-js`, `wc-order-attribution`, `wp_slimstat`. Site owners can extend or replace the list via the `warder_blocked_scripts` filter. +- Expanded the `necessary` category cookie defaults to cover the full WordPress and WooCommerce session surface: `cc_cookie` (consent record), `wordpress_logged_in_*`, `wordpress_sec_*`, `wordpress_test_cookie`, `wp-settings-*`, `wp_woocommerce_session_*`, `woocommerce_cart_hash`, `woocommerce_items_in_cart`, `woocommerce_recently_viewed`, `PHPSESSID`. + +### Changed +- `sbjs_*` (SourceBuster.js attribution cookies) moved from the `necessary` category to `analytics`, where they belong — they are set by an optional tracking script, not by WordPress core. + ## [2.0.2] - 2026-05-30 ### Security diff --git a/inc/defaults.php b/inc/defaults.php index c321b20..2f0d87e 100644 --- a/inc/defaults.php +++ b/inc/defaults.php @@ -34,10 +34,51 @@ function warder_get_default_options() { 'enabled' => true, 'readonly' => true, 'cookies' => array( + // Consent record — must always be kept. array( - 'name' => '/^sbjs_/', + 'name' => 'cc_cookie', + 'is_regex' => false, + ), + // WordPress login & security. + array( + 'name' => '/^wordpress_logged_in_/', + 'is_regex' => true, + ), + array( + 'name' => '/^wordpress_sec_/', + 'is_regex' => true, + ), + array( + 'name' => 'wordpress_test_cookie', + 'is_regex' => false, + ), + // WordPress admin bar / customizer. + array( + 'name' => '/^wp-settings-/', + 'is_regex' => true, + ), + // WooCommerce session & cart. + array( + 'name' => '/^wp_woocommerce_session_/', 'is_regex' => true, ), + array( + 'name' => 'woocommerce_cart_hash', + 'is_regex' => false, + ), + array( + 'name' => 'woocommerce_items_in_cart', + 'is_regex' => false, + ), + array( + 'name' => 'woocommerce_recently_viewed', + 'is_regex' => false, + ), + // PHP session. + array( + 'name' => 'PHPSESSID', + 'is_regex' => false, + ), ), ), 'analytics' => array( @@ -66,6 +107,10 @@ function warder_get_default_options() { 'name' => '/^mtm_/', 'is_regex' => true, ), + array( + 'name' => '/^sbjs_/', + 'is_regex' => true, + ), ), ), ), diff --git a/inc/frontend.php b/inc/frontend.php index 07da73c..434a273 100644 --- a/inc/frontend.php +++ b/inc/frontend.php @@ -112,3 +112,60 @@ function warder_add_preferences_button() { echo ''; } add_action( 'wp_footer', 'warder_add_preferences_button' ); + +/** + * Blocks known analytics/marketing scripts until the matching consent category + * is accepted by rewriting their type to "text/plain" and adding data-category. + * + * Vanilla-cookieconsent holds type="text/plain" scripts and re-executes them + * (as type="text/javascript") once the user accepts the named category. This + * prevents scripts like WooCommerce's SourceBuster (which sets sbjs_* cookies) + * and Slimstat from firing before consent. + * + * Site owners can extend or override the list via the warder_blocked_scripts filter. + * + * @param string $tag The full