About
Consent Manager uses two technical mechanisms to prevent external content from loading without user consent. Depending on how the content is embedded in Moodle, either the filter or the Content Security Policy applies.
Filter mechanism
Whenever content is entered anywhere in Moodle, it is processed by Moodle’s PHP filters before being displayed. Consent Manager checks this content during that process. If the content includes an external source, the plugin verifies whether the required consent has been given.
If consent has not been granted, the external content is replaced with a placeholder. Only after the user gives consent will the original content be displayed.
This mechanism applies to content that is entered directly into Moodle, for example embedded links that would normally be converted by Moodle’s Media filter. Before a YouTube link is rendered as a video, Consent Manager checks whether it is allowed to be shown.
Content Security Policy as fallback
This mechanism works independently of how or where the content was added. If the browser attempts to load a resource from a non-local source anywhere in the page HTML, the CSP interrupts the loading process.
No data is transferred to the external provider. The loading attempt is interrupted by the browser based on the defined security policy.
The CSP acts as a fallback for cases where content is not processed through Moodle’s standard filter system. A typical example is externally embedded content that is injected directly into the page structure, such as certain video integrations.
Together, these two mechanisms ensure that external content is only loaded after the required user consent has been given.