The cookiestatus.com website is a knowledge sharing resource for the various tracking protection mechanisms implemented by the major browsers and browser engines.
For more information about the service, please consult the FAQ.
Please submit suggestions and corrections as issues in the GitHub project. Click here to find your way.
Last updated: 21 January 2021
Updated Brave with less strict referrer policy (now defaults to
strict-origin-when-cross-origin instead of removing cross-site referrer altogether)..
|Mechanism||Shields||n/a||Tracking prevention||Enhanced Tracking Protection (ETP)||Intelligent Tracking Prevention (ITP)||Anti-Tracking|
|Deployed in||0.55.18||n/a||78.0.276.8||69.0||Safari 11||1.30.0|
|Default protection mode||Default Shield settings||n/a||Balanced||Standard||ITP enabled||Default Anti-Tracking settings|
|Classification of “known trackers”||Multiple filter lists||n/a||Trust Protection Lists (with engagement and organization mitigation)||Disconnect.me||Algorithmic||Algorithmic|
|Cookies in 3rd party context||All access restricted.||No restrictions.||Access restricted for known trackers.||Access restricted for known trackers.|
|Cookies in 1st party context||No restrictions.||No restrictions.||All storage is purged from known trackers daily, unless the user has interacted with the site in first-party context within the last 45 days.|
|Other browser storage in 3rd party context||No restrictions.||No restrictions.||No restrictions.|
|Other browser storage in 1st party context||No restrictions.||No restrictions.||No restrictions.||All storage is purged from known trackers daily, unless the user has interacted with the site in first-party context within the last 45 days.||Restricted to 7 days since last interaction (click, tap, text input) with the site.||No restrictions.|
|CNAME cloaking||Brave blocks any network requests where either the requested URL or that URL’s CNAME record matches any rules in Brave’s blocklists.||No restrictions.||No restrictions.||No restrictions.|| On Safari 14 (requires Big Sur) and on all major iOS and iPadOS 14.2+ browser apps, expiration of cookies set with
|Referrer|| Default browser policy (
|| Default browser policy (
||Strip all cross-origin referrers to origin.|
|Other||n/a||n/a||Automatically block requests to tracking domains that are also listed in the Fingerprinting category of the Disconnect.me list.||
The Cliqz project has been shut down.
Last updated: 2 December 2020
strict-origin-when-cross-origindefault referrer policy.
isLoggedIn(work item in the Privacy Community Group).
Web browsers are going through fairly momentous shifts in order to better respond to the increasing number of data breaches and cases of data misuse by third parties.
Unfortunately, each browser (and the underlying browser engine) seems to have their own interpretation of how to best tackle the problem, which leads to a diverse set of features across the browser landscape.
What’s worse, the information about how these tracking protection mechanisms are deployed is all over the place: in release notes, in developer documentation, in Twitter threads, in working groups, in feature drafts, in bug patches, etc.
The purpose of the Cookie Status resource is to (attempt to) collect this information in one place for easy access and perusal.
There is no commercial agenda behind this project. In fact, there is no agenda other than knowledge transfer.
Just to kick things off. Hopefully the open-source nature of this project will invite others to contribute details about browsers that are doing significant work with regard to user privacy.
Cookie Status doesn’t use browser cookies,
sessionStorage is used to add some functionality to navigation (marking visited pages, highlighting search terms).
Nothing in browser storage is sent to any third parties at any time.
If you see anything contrary to the above, please raise an issue about this.
Cookie Status collects a simple pageview hit from the page loads that happen on https://www.cookiestatus.com/. This is simply to gauge the relative “usage” of different parts of the site.
The payload uses an obfuscated User-Agent string, the IP address is anonymized (by removing the last octet before it hits the GA reports), and no persistent identifiers are used or stored.