Cookie Shield

Cookie Shield uses Amazon Nova to automatically reject all non-essential cookie vendors handling dark patterns, vendor lists, and multi-step consent flows that no other tool touches.

Comment

CookieShield — Automatically Reject Cookie Vendors with Amazon Nova

Inspiration

Every time I visit a news website, I'm greeted with a cookie banner designed to make rejection as hard as possible. Hundreds of vendors buried in accordions, no Reject All button in sight, and sometimes a "Reject All and Subscribe for £5/month" option that isn't really rejection at all.

I wanted to build something that handles this automatically — so users never have to think about it again. The Amazon Nova hackathon was the perfect opportunity to build it properly, with real AI at the core.

What I Built

CookieShield is a Chrome extension powered by Amazon Nova Lite that automatically rejects all non-essential cookie vendors on any website — without the user doing anything.

It runs silently on page load, detects the cookie consent banner, navigates the full consent flow, and saves the rejection — handling dark patterns, 100+ vendor lists, and multi-step preference panels that no other tool touches.

How I Built It

The project has two components working together:

Chrome Extension (JavaScript)

The extension runs a content script on every page using 5 layers of detection to find cookie banners:

  • Layer 1 — Known frameworks: OneTrust, Cookiebot, SourcePoint, BBC ConsentBanner, Didomi, Usercentrics
  • Layer 2 — Generic patterns: any element with cookie, consent, or gdpr in its class or ID
  • Layer 3 — ARIA attributes: aria-labelledby="consent-banner-title" and similar accessibility labels
  • Layer 4 — Visual heuristics: any position: fixed element with z-index > 10 covering 30%+ of the viewport containing cookie keywords
  • Layer 5 — Iframe detection: SourcePoint and similar frameworks load banners inside sandboxed iframes — the script runs inside every frame

Once a banner is found, it follows a multi-step rejection flow:

  1. Check for a free Reject All button → click it if found
  2. Click "Manage Preferences" / "Cookie Settings" to open the vendor panel
  3. Look for Reject All inside the panel → click it if found
  4. Scroll through and uncheck every non-essential checkbox and ARIA toggle
  5. Send banner HTML to Amazon Nova if rules find nothing
  6. Click "Save" / "Confirm" to lock in the preferences

Python Backend (Flask)

# The Nova prompt that powers the AI fallback
AI_PROMPT = """
You are a cookie consent analyzer.
Find all CHECKED vendor/advertising inputs.
Skip anything labelled necessary or essential.
Return ONLY valid JSON:
{"selectors": ["#vendor-1", "input[name='marketing']"], "count": 3}
"""

The backend receives banner HTML from the extension, sends it to Amazon Nova Lite via AWS Bedrock, and returns validated CSS selectors to uncheck. All selectors are sanitized against an allowlist regex before being applied.

Challenges I Faced

The offsetParent trap was the most subtle bug. Every cookie banner uses position: fixed, and Chrome always returns offsetParent = null for fixed elements — making our visibility check fail silently on 100% of real banners. Switching to getBoundingClientRect() fixed it instantly.

// the wrong way: always false for position:fixed
if (el && el.offsetParent !== null) return el;

// the right way:checks actual rendered size
function isVisible(el) {
  const rect = el.getBoundingClientRect();
  return rect.width > 0 && rect.height > 0;
}

Iframe sandboxing — SourcePoint loads the entire cookie banner inside a sandboxed iframe. The fix was adding "all_frames": true to manifest.json so the content script runs inside every frame, not just the top-level document.

Dark patterns — sites like The Guardian attach "Reject All" to a £5/month subscription. We built pattern matching that distinguishes a genuine free rejection from a paid one:

const PAID_PATTERNS = [
  /subscribe/i, /per\s*month/i, /£|\$|€/, /ad-lite/i
];
// Only treat as a real reject button if it matches AND is not paid
if (matchesReject && !isPaid) clickIt();

AWS activation delays during development meant building with Google Gemini first as a drop-in replacement, then swapping to Nova once the account was ready — a good lesson in building modular, swappable AI integrations.

What I Learned

  • Chrome Extension CSP rules block all inline onclick= handlers — every event listener must live in a .js file
  • Cookie consent is a deeply fragmented ecosystem — every framework does things differently, which is exactly why AI is the right fallback for banners that don't match known patterns
  • Amazon Nova Lite is remarkably accurate at parsing messy HTML and returning structured JSON — at less than \( \$0.001 \) per request, it's practical for real-world daily use
  • The gap between "Chrome blocks third-party cookies" and "user actually rejected consent" is enormous — and completely unaddressed by existing tools

What's Next

  • Deploy the Flask backend to AWS Lambda so users don't need Python installed — making it a true one-click Chrome Web Store install
  • Add Nova Sonic voice feedback: "CookieShield blocked 47 vendors on this site"
  • Submit to the Chrome Web Store for public use

Built With

Share this project:

Updates