=== Cookie Scout ===
Contributors: cookiescout
Tags: cookies, cookie banner, consent mode, gdpr, gtm
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 8.1
Stable tag: 1.0.16
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Cookie banner with local setup, script blocking and optional advanced features.

== Description ==

Cookie Scout helps you display a cookie banner, store consent and control scripts. The plugin can be used locally without an account. Advanced features can be enabled separately.

== Installation ==

1. Upload the plugin to /wp-content/plugins/
2. Activate the plugin in WordPress
3. Go to Cookie Scout in the admin and complete the quick setup

== External services ==

This plugin communicates with third-party services only when a feature explicitly needs it, or when an administrator has turned that feature on. Below is what is used, why, what data is involved, and when it runs.

= Cookie Scout API (dashboard.cookiescout.io) =

* **What it is:** The Cookie Scout account and configuration service.
* **What it is used for:** Optional connected mode: authenticating the site owner, loading banner and policy configuration, blocking rules, categories, and (when enabled) recording consent events from the banner to your Cookie Scout account.
* **What data is sent:** API requests may include your site URL, authentication token after you connect, banner or policy fields you save from the settings screens, and consent payloads (consent identifier, category choices, banner version reference, page URL, and language) when the visitor consents and connected mode is active.
* **When it is sent:** Only when a site administrator has connected the plugin to a Cookie Scout account and performs actions that require the service, or when visitors submit consent while that connected mode is active.
* **Provider:** Cookie Scout — [Website](https://cookiescout.io) — [Account dashboard](https://dashboard.cookiescout.io) — [Terms of use](https://cookiescout.io/terms.html) — [Privacy policy](https://cookiescout.io/privacy.html)

= Google Tag Manager and Google Tag (googletagmanager.com) =

* **What it is:** Google’s tag hosting and execution platform.
* **What it is used for:** If an administrator enters a valid Google Tag Manager container ID (format `GTM-…`) in the plugin settings, the plugin can load Google Tag Manager on the public site in line with the selected Consent Mode behaviour (standard vs advanced). The browser may then load additional tags configured in that container.
* **What data is sent:** The plugin requests Google’s `gtm.js` (and the GTM noscript iframe when applicable) from Google. Any further requests, cookies, or personal data depend entirely on what the administrator has configured inside Google Tag Manager and the tags fired from it—not on this plugin’s code paths beyond loading GTM when allowed by consent settings.
* **When it is sent:** When GTM is configured in settings and, depending on mode, when consent allows statistics or marketing storage, or when advanced Consent Mode is enabled as described in the plugin UI.
* **Provider:** Google Ireland Limited / Google LLC — [Google Tag Manager terms](https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/) — [Google privacy policy](https://policies.google.com/privacy)

= Google Fonts (fonts.googleapis.com / fonts.gstatic.com) =

* **What it is:** Google’s font delivery network.
* **What it is used for:** If an administrator selects one of the listed Google fonts for the cookie policy / cookie list appearance, the visitor’s browser loads the corresponding stylesheet (and font files) from Google.
* **What data is sent:** Standard web requests as defined by Google (typically IP address and technical headers as part of loading CSS/font assets).
* **When it is sent:** Only when a Google font is chosen in settings and a page that outputs the policy or list shortcodes is viewed.
* **Provider:** Google — [Google Fonts privacy FAQ](https://developers.google.com/fonts/faq/privacy) — [Google privacy policy](https://policies.google.com/privacy)

= Stripe (checkout.stripe.com) =

* **What it is:** Payment processing for Cookie Scout plans, when you use connected checkout from the plugin.
* **What it is used for:** Redirecting the administrator to Stripe Checkout when purchasing or upgrading through the Cookie Scout service.
* **What data is sent:** Handled by Cookie Scout’s checkout API and Stripe according to their flows; this plugin only redirects the administrator to the checkout URL returned by the service.
* **When it is sent:** Only when an administrator starts checkout from the plugin while using connected mode.
* **Provider:** Stripe — [Stripe legal / privacy](https://stripe.com/legal)

= Front-end requests to your own site (scanner / GTM detection) =

* **What it is:** The plugin may request your site’s public HTML using `wp_remote_get()` (for example the basic scanner in admin, or optional detection of an existing GTM snippet).
* **What it is used for:** Analysing HTML your site already outputs; the plugin does not substitute remote CDNs for its own assets through these requests.
* **What data is sent:** A normal HTTP GET to your `home_url()` as seen by the server (user-agent identifies the plugin).
* **When it is sent:** Only when an administrator triggers the relevant tool in wp-admin.

== Frequently Asked Questions ==

= Does the plugin require an account? =
No, the plugin can be used locally without an account.

= Are there advanced features? =
Yes, advanced features can be enabled separately.

== Changelog ==

= 1.0.16 =
* Sikkerhed: connect-flow kræver nu nonce-bekræftelse før API-token gemmes; consent JSON saniteres og valideres felt for felt før API-kald.

= 1.0.15 =
* Plugin Check: rettet GTM-notice escaping, sticky form-felter med nonce-verifikation, User-Agent sanitization og Google Fonts enqueue-version.

= 1.0.14 =
* Plugin Check: Tested up to WordPress 7.0; i18n translators-kommentarer rettet; fjernet load_plugin_textdomain; PHPCS-justeringer for templates, adgangskoder og admin GET-flows.

= 1.0.13 =
* Script-blokering: tilføjede faste fallback-regler for betalingsscripts (inkl. ePay/Bambora/Worldline-domæner) som kategoriseres som nødvendige, så checkout kan fungere ved afviste valgfrie cookies.

= 1.0.12 =
* Kompatibilitet: fjernede PHP 8 `match` i settings-template og erstattede med switch, så parse-fejl på ældre PHP undgås.

= 1.0.11 =
* Banner: større cookie-ikon i den flydende genåbningsknap og CSS der modstår temaers `button`/`svg`-skalering; lidt mere plads til banner-logo.

= 1.0.10 =
* Script-blokering: GTM-genkendelse dækker nu server-side / hosted `gtm.js` (fx eget domæne med `?id=GTM-…` eller Stape-vertikaler), så samme consent-regler som for googletagmanager.com GTM gælder og scripts undgår forkert “ukendt”-blokering.

= 1.0.9 =
* Script-blokering: ved genindlæsning med gyldigt samtykke i localStorage anvendes det nu på DOM (iframe-placeholders og blokerede scripts), så fx YouTube vises uden at skulle acceptere igen.

= 1.0.8 =
* Script-blokering: spring server-side buffer over når User-Agent indeholder `CookieScoutRemoteScan/1` (backend Playwright-scanner og wp_remote_get i plugin), så scanning ser eksekverbare tags i HTML.

= 1.0.7 =
* Banner: planlæg boot med DOMContentLoaded + kort polling, så init ikke springes over hvis markup kommer efter script (undgår “død” frontend ved visse temaer/cache).

= 1.0.6 =
* Banner: boot kører også hvis DOM allerede er klar (undgår skjult banner når script indlæses sent) — vigtigt for GTM/script-blokering og for eksterne scans.

= 1.0.5 =
* Banner: ensartet bund-padding i cookie-indstillingspanelet (matcher sider/top).

= 1.0.4 =
* dataLayer: udsender også `cookie_consent_update` (Cookiebot-kompatibelt) ved samtykke, så eksisterende GTM-triggere kan genbruges.

= 1.0.3 =
* Correct Cookie Scout terms/privacy URLs in readme; shortcode return hardening (esc_html__, wp_kses_post); safe shutdown flush for script-blocker output buffer.

= 1.0.2 =
* Stricter escaping (admin UI, banner colours/position), check_ajax_referer on privileged AJAX, hex colour validation, connect-code format check, domain-list documentation, removed inline onclick confirm in favour of enqueued admin JS.

= 1.0.1 =
* Hardened AJAX and checkout return URLs (nonces), improved script loading and output escaping for consent/blocker/GTM, removed frontend “Powered by” credit, admin settings scripts enqueued properly, readme external services documentation.

= 1.0.0 =
* First public release
