# Manual Script & iframe Blocking Setup

> [CMP v1] Learn how to set up manual cookie and tracker blocking in Secure Privacy — including script type rewriting and iframe prior consent blocking for YouTube, Vimeo, and other third-party embeds.

- Canonical: https://support.secureprivacy.ai/article/cmp-v1-howto-setup-manual-blocking
- Product: Consent Management
- Category: Secure Privacy Legacy
- Published: 2026-03-06T12:44:00+00:00
- Updated: 2026-03-26T21:30:47.025+00:00
- Reading time: 3 minutes

---

Secure Privacy offers two types of cookie and tracker blocking — **automated blocking** and **manual blocking**. This article explains how to set up **manual blocking for scripts and iframes**, including how to rewrite script attributes and implement prior consent blocking for embedded third-party content such as YouTube and Vimeo.

## Who Is This For?

-   Website administrators implementing manual cookie and tracker blocking with Secure Privacy
    
-   Developers rewriting script and iframe attributes to hold cookies until visitor consent is given
    
-   Compliance teams ensuring third-party embeds do not set cookies before prior consent is obtained
    

## Manual Script and Cookie Blocking

To block cookies and trackers from loading until a visitor provides consent, you need to modify the attributes of script tags on your website. Follow these steps:

1.  **For pixel or image trackers:** Rename the `src` attribute to `data-src` on the image tag. This prevents the tracker from firing until consent is given.
    
2.  **For script tags:** Use script type rewriting. Change the `type` attribute of the script tag so that the browser does not execute it automatically.
    
    A normal Google Analytics script tag looks like this:
    
    `<!-- Insert your original script tag here -->`
    
    After applying script type rewriting, it should look like this:
    
    `<!-- Insert your rewritten script tag with updated type attribute here -->`
    

For a step-by-step walkthrough using Wix.com as an example, watch the [video tutorial on manual script blocking](https://www.loom.com/share/5f7f6b2c88674de68d7be018720a2326).

![Wix dashboard showing where to paste a script for manual cookie consent blocking](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/831cd12970605560f838-b9eadb458793.webp)

## Manual iframe Blocking Setup

This section covers the scenario where iframes embedded on your website — such as YouTube or Vimeo videos — set cookies or trackers that require the visitor's prior consent before loading.

Secure Privacy will block the iframe from loading until the visitor has provided consent for the relevant plugin. Once consent is given, the content loads automatically.

### How to implement prior consent for iframes

Using YouTube as an example, follow these steps to apply prior consent blocking to an embedded iframe:

1.  Apply the attribute `sp-consent="PLUGIN NAME"` to the iframe tag on your website. The plugin name must exactly match the name shown in your Secure Privacy Scan Report.
    
2.  Change the `src` attribute to `data-src` to prevent the iframe from loading until consent is received.
    

For example, the original YouTube iframe:

`<!-- Insert your original iframe tag with src attribute here -->`

Changes to the following (with `src` renamed to `data-src` and the `sp-consent` attribute applied):

`<!-- Insert your updated iframe tag with data-src and sp-consent="Youtube" here -->`

In this example, the plugin name is **Youtube** — verify the exact name in your Secure Privacy Scan Report before applying.

**Note 1:** YouTube offers an alternative domain — [www.youtube-nocookie.com](https://www.youtube-nocookie.com) — that does not set HTTP cookies. However, this domain sets persistent "super cookies" in the browser's HTML localStorage, which also require prior consent. Manual blocking is still required.

**Note 2:** Manual iframe blocking is required even if you are using Secure Privacy's auto-blocking feature. Auto-blocking currently only applies to iframes created dynamically by JavaScript — such as advertising iframes injected by a script. For iframes embedded directly in your page HTML — such as YouTube video embeds — you must follow the manual blocking steps described in this article.

## Frequently Asked Questions

### What is the difference between automated and manual blocking in Secure Privacy?

Automated blocking detects and blocks scripts and dynamically injected iframes without requiring changes to your page code. Manual blocking requires you to modify the attributes of script and iframe tags directly in your HTML — renaming `src` to `data-src` and adding the `sp-consent` attribute. Manual blocking is required for iframes embedded directly in page HTML, including most YouTube and Vimeo embeds.

### Where do I find the plugin name to use in the sp-consent attribute?

The plugin name is listed in your Secure Privacy Scan Report. Navigate to your Secure Privacy dashboard and open the Scan Report for your domain — the exact plugin name to use in `sp-consent="PLUGIN NAME"` is shown against each detected tracker or third-party embed.

### Does using youtube-nocookie.com mean I don't need to block the YouTube iframe?

No. While `youtube-nocookie.com` does not set HTTP cookies, it stores persistent data in the browser's HTML localStorage — which also constitutes tracking and requires prior consent under the ePrivacy Directive and GDPR. Manual blocking must still be applied even when using the nocookie domain.

## See Also

-   [Secure Privacy Pricing Plans Overview](https://support.secureprivacy.ai/article/secure-privacy-pricing-plans--consent-management-platform)
    
-   [Secure Privacy Volume Discounts | Custom Consent Storage Pricing](https://support.secureprivacy.ai/article/secure-privacy-volume-discounts--custom-consent-storage-pricing)
    
-   [Website Visits vs Page Views vs Consent Explained](https://support.secureprivacy.ai/article/website-visits-vs-page-views-vs-consent-explained)
