The snippet
Every supported attribute on the loader tag.
Attributes
One required attribute, three optional.
src | Stable URL: https://cdn.cookielint.com/banner/banner.boot.js. Updates roll out from the same path; no snippet changes needed. The boot script installs the blocking engine synchronously, then injects the chunked banner module (which loads the heavier pieces — TCF encoder, GPP encoder, preferences modal — on demand). |
data-site-id | Required. Identifies your site in our system. Format cl_... Find it on the site settings page in the dashboard. |
async | Optional. With "async", the boot script fetches in parallel with HTML parsing. Without "async", it blocks the parser until the blocking engine is installed — required for strict pre-consent enforcement against inline tracker tags. |
data-blocking-mode | Optional. Either "fast" (default) or "strict". Strict starts every non-essential category denied until the visitor decides, regardless of the banner config defaults. Pair with no "async" attribute for the strongest pre-consent guarantee. |
data-api-base | Optional. Overrides the inferred API origin. Useful when pointing at a staging backend or a non-default API region. |
For most sites, the async fast embed is the right default — it does not delay first paint, and trackers loaded through tag managers (GTM, Segment, Cloudflare Zaraz) all fire after the blocking engine is in place. Use the sync embed (no async, with data-blocking-mode="strict") when your page has inline <script> tags that fire trackers directly during parsing.
Signed config payload
The banner config payload is fetched at runtime, signed with both HMAC-SHA256 and Ed25519, and cached in localStorage for 24 hours with background revalidation. The runtime verifies the Ed25519 signature on every read (fresh or cached) and refuses to render if verification fails, so a tampered CDN response or a poisoned cache entry cannot serve a forged config.