Service worker
Deeper coverage for requests that fire before any JavaScript runs.
Why install it
Optional, but the deepest coverage layer. The page-level blocking engine that ships in banner.boot.js installs synchronously and catches anything fired by scripts placed after the snippet. The first paint, image preloads, and any HTTP request the HTML parser kicks off before banner.boot.js itself finishes downloading still escape it. A service worker sits one layer deeper: it intercepts every outbound HTTP request from any page on your origin, including the ones that go out before any JavaScript runs.
Setup
Browsers require service worker scripts to live on the same origin as the page that registers them, so we cannot host the file for you. The integration is a one-line shim that pulls in the real worker from our CDN:
importScripts('https://cdn.cookielint.com/sw/cookielint-sw.js');Save that file at your site root (so it resolves to https://your-site.com/cookielint-sw.js). The banner registers it automatically on the next page load; interception begins on the same page view once activation completes.
Requirements
HTTPS | Service workers do not register on plain HTTP. Localhost is exempt for development. |
CSP | If your site sends a Content-Security-Policy header, it must allow worker-src 'self' so the worker can register, and script-src https://cdn.cookielint.com so the imported script can load. With a strict default-src and neither directive set, registration silently fails. |
Single worker per scope | Browsers run at most one service worker per scope. If you already ship a worker (a PWA cache, a push-notification handler), do not deploy a second cookielint-sw.js file. Add the importScripts line to your existing worker instead. |
Updates | Browsers check for a new worker by hashing the registered script. The shim file above never changes, so updates to the imported CDN script propagate through normal HTTP cache revalidation (max 24 hours by default). For instant rollout, pin a version in the URL, for example ?v=2026-05-17, and bump it on each release. |
What gets blocked
The worker uses the same vendor database the page-level engine uses, and the same per-visitor consent grants. On every fetch it checks the destination URL against the vendor patterns and responds with 204 No Content for anything the visitor has not granted. First-party requests that do not match any vendor pattern pass through untouched, with one exception: when behavior.blockUntilDecision is on and the visitor has not decided yet, the worker holds back unclassified requests too. Turn that off in the banner editor if it interferes with your own first-party scripts.