Cookie Status

The website is a knowledge sharing resource for the various tracking protection mechanisms implemented by the major browsers and browser engines.

For more information about the service, please consult the FAQ.

Please submit suggestions and corrections as issues in the GitHub project. Click here to find your way.

Current status

Changes added in the latest release of each browser are indicated with yellow highlight. You can click the icon to be redirected to the respective section in each browser’s own “Current Status” page.

Last updated: 21 January 2021
Updated Brave with less strict referrer policy (now defaults to strict-origin-when-cross-origin instead of removing cross-site referrer altogether)..

Suggest an edit

Toggle full screen

Brave Chrome Edge Firefox Safari Cliqz
Mechanism Shields n/a Tracking prevention Enhanced Tracking Protection (ETP) Intelligent Tracking Prevention (ITP) Anti-Tracking
Deployed in 0.55.18 n/a 69.0 Safari 11 1.30.0
Latest release Link Link Link Link Link Link
Default protection mode Default Shield settings n/a Balanced Standard ITP enabled Default Anti-Tracking settings
Classification of “known trackers” Multiple filter lists n/a Trust Protection Lists (with engagement and organization mitigation) Algorithmic Algorithmic
Cookies in 3rd party context All access restricted. No restrictions. Access restricted for known trackers. Access restricted for known trackers.

All access restricted, except with Storage Access API.

Access restricted for known trackers, with mitigations for user interaction and critical flows (e.g. some oAuth implementations).

Cookies set on tracker origins without first-party interaction expire in 1 hour.

Cookies in 1st party context

For cookies set with document.cookie, expiration set to 7 days.

Otherwise maximum expiry set to 6 months.

No restrictions. No restrictions. All storage is purged from known trackers daily, unless the user has interacted with the site in first-party context within the last 45 days.

For cookies set with document.cookie, expiration set to 7 days.

For cookies set with document.cookie, expiration set to 24 hours on pages with URL decoration (query parameters or fragments) when referring domain is a known tracker.

Cookies set on tracker domains with infrequent first-party interaction expire in 7 days. Otherwise expiration set to 30 days after last visit to site.

Cookies set with document.cookie have a maximum expiration of 7 days.

Other browser storage in 3rd party context No restrictions. No restrictions.

Access restricted for known trackers.

No restrictions for other domains.

localStorage and IndexedDB restricted for known trackers.

sessionStorage is not restricted.

No restrictions for other domains.

localStorage is partitioned and reset between application launches.

IndexedDB is restricted.

sessionStorage is not restricted.

No restrictions.
Other browser storage in 1st party context No restrictions. No restrictions. No restrictions. All storage is purged from known trackers daily, unless the user has interacted with the site in first-party context within the last 45 days. Restricted to 7 days since last interaction (click, tap, text input) with the site. No restrictions.
CNAME cloaking Brave blocks any network requests where either the requested URL or that URL’s CNAME record matches any rules in Brave’s blocklists. No restrictions. No restrictions. No restrictions. On Safari 14 (requires Big Sur) and on all major iOS and iPadOS 14.2+ browser apps, expiration of cookies set with Set-Cookie HTTP response headers is 7 days at most, if the response originates from a subdomain that has a CNAME alias to a cross-site origin. No restrictions.

Cross-site referrers are spoofed (set to the referred-to rather than the referred-from origin) in non-navigational HTTP requests.

strict-origin-when-cross-origin or stricter referrer policy in cross-site navigational requests.

Same-site navigation preserves the referrer.

Default browser policy (strict-origin-when-cross-origin) Default browser policy (strict-origin-when-cross-origin) strict-origin-when-cross-origin for requests to known tracker domains, otherwise no-referrer-when-downgrade.

Downgrade cross-site document.referrer to origin.

Downgrade all cross-site request headers to origin.

For referrers that are known trackers, where the referring page also has URL decoration (query parameters or fragments), document.referrer is downgraded to eTLD+1.

Strip all cross-origin referrers to origin.

Removes known tracking parameters (fbclid, gclid, msclkid, mc_eid, and others) from URL query strings.

Randomize HTML canvas fingerprints by first-party domain.

n/a n/a Automatically block requests to tracking domains that are also listed in the Fingerprinting category of the list.

Detect delays in bounce trackers and treat them as regular bounces.

Extend WebKit’s tracking protections to all browsers running on iOS 14 and newer. These protections can only be disabled by the user.

Purge all site data from classified domains if no user interaction (or Storage Access API grant) in first-party context has been recorded in the last 30 days.

Algorithmically identify and purge unique user identifiers from requests to third-party domains.

The Cliqz project has been shut down.

Bubbling under

Last updated: 2 December 2020


1. Why does this resource exist?

Web browsers are going through fairly momentous shifts in order to better respond to the increasing number of data breaches and cases of data misuse by third parties.

Unfortunately, each browser (and the underlying browser engine) seems to have their own interpretation of how to best tackle the problem, which leads to a diverse set of features across the browser landscape.

What’s worse, the information about how these tracking protection mechanisms are deployed is all over the place: in release notes, in developer documentation, in Twitter threads, in working groups, in feature drafts, in bug patches, etc.

The purpose of the Cookie Status resource is to (attempt to) collect this information in one place for easy access and perusal.

There is no commercial agenda behind this project. In fact, there is no agenda other than knowledge transfer.

2. Why only these browsers?

Just to kick things off. Hopefully the open-source nature of this project will invite others to contribute details about browsers that are doing significant work with regard to user privacy.

Cookie Status doesn’t use browser cookies, localStorage, or IndexedDB.

sessionStorage is used to add some functionality to navigation (marking visited pages, highlighting search terms).

Nothing in browser storage is sent to any third parties at any time.

If you see anything contrary to the above, please raise an issue about this.

4. Why are you collecting data to Google Analytics?

Cookie Status collects a simple pageview hit from the page loads that happen on This is simply to gauge the relative “usage” of different parts of the site.

The payload uses an obfuscated User-Agent string, the IP address is anonymized (by removing the last octet before it hits the GA reports), and no persistent identifiers are used or stored.