Cookie Status

The cookiestatus.com website is a knowledge sharing resource for the various tracking protection mechanisms implemented by the major browsers and browser engines.

For more information about the service, please consult the FAQ.

Please submit suggestions and corrections as issues in the GitHub project. Click here to find your way.

Current status

Changes added in the latest release of each browser are indicated with yellow highlight. You can click the icon to be redirected to the respective section in each browser's own “Current Status” page.

Last updated: 30 January 2020
Clarify Safari's cookie restrictions in third-party context.

Suggest an edit

Toggle full screen

Brave Chrome Cliqz Edge Firefox Safari
Mechanism Shields n/a Anti-Tracking Tracking prevention Enhanced Tracking Protection (ETP) Intelligent Tracking Prevention (ITP)
Deployed in 0.55.18 n/a 1.30.0 78.0.276.8 69.0 Safari 11
Latest release Link Link Link Link Link Link
Default protection mode Default Shield settings n/a Default Anti-Tracking settings Balanced Standard ITP enabled
Classification of “known trackers” Multiple filter lists n/a Algorithmic Trust Protection Lists (with engagement and organization mitigation) Disconnect.me Algorithmic
Cookies in 3rd party context All access restricted. No restrictions.

Access restricted for known trackers, with mitigations for user interaction and critical flows (e.g. some oAuth implementations).

Cookies set on tracker origins without first-party interaction expire in 1 hour.

Access restricted for known trackers. Access restricted for known trackers.

Access restricted for all third-party cookies if no user interaction in the last 30 days with the website whose URL is in the address bar.

Access restricted if no prior cookies set on the third-party domain.

Access restricted for known trackers.

Cookies in 1st party context

For cookies set with document.cookie, expiration set to 7 days.

Otherwise maximum expiry set to 6 months.

No restrictions.

Cookies set on tracker domains with infrequent first-party interaction expire in 7 days. Otherwise expiration set to 30 days after last visit to site.

Cookies set with document.cookie have a maximum expiration of 7 days.

No restrictions. No restrictions.

For cookies set with document.cookie, expiration set to 7 days.

For cookies set with document.cookie, expiration set to 24 hours on pages with URL decoration (query parameters or fragments) when referring domain is a known tracker.

Other browser storage in 3rd party context No restrictions. No restrictions. No restrictions.

Access restricted for known trackers.

No restrictions for other domains.

localStorage and IndexedDB restricted for known trackers.

sessionStorage is not restricted.

No restrictions for other domains.

localStorage is partitioned and reset between application launches.

IndexedDB is restricted.

sessionStorage is not restricted.

Other browser storage in 1st party context No restrictions. No restrictions. No restrictions. No restrictions. No restrictions. Restricted to 7 days since last interaction (click, tap, text input) on pages with URL decoration (query parameters or fragments) when referring domain is a known tracker.
Referrer

Cross-site referrers are spoofed (set to the referred-to rather than the referred-from origin) in non-navigational HTTP requests.

Cross-site referrers are stripped in navigational HTTP requests.

Same-site navigation preserves the referrer.

Default browser policy (no-referrer-when-downgrade) Strip all cross-origin referrers to origin. Default browser policy (no-referrer-when-downgrade) Default browser policy (no-referrer-when-downgrade)

Strip all referrers in non-navigational HTTP requests to origin.

For referrers that are known trackers, where the referring page also has URL decoration (query parameters or fragments), document.referrer is downgraded to eTLD+1.

Other Removes known tracking parameters (fbclid, gclid, msclkid, mc_eid) from URL query strings. n/a Algorithmically identify and purge unique user identifiers from requests to third-party domains. n/a Automatically block requests to tracking domains that are also listed in the Fingerprinting category of the Disconnect.me list. n/a

Bubbling under

Last updated: 10 January 2020

FAQ

1. Why does this resource exist?

Web browsers are going through fairly momentous shifts in order to better respond to the increasing number of data breaches and cases of data misuse by third parties.

Unfortunately, each browser (and the underlying browser engine) seems to have their own interpretation of how to best tackle the problem, which leads to a diverse set of features across the browser landscape.

What's worse, the information about how these tracking protection mechanisms are deployed is all over the place: in release notes, in developer documentation, in Twitter threads, in working groups, in feature drafts, in bug patches, etc.

The purpose of the Cookie Status resource is to (attempt to) collect this information in one place for easy access and perusal.

There is no commercial agenda behind this project. In fact, there is no agenda other than knowledge transfer.

2. Why only these browsers?

Just to kick things off. Hopefully the open-source nature of this project will invite others to contribute details about browsers that are doing significant work with regard to user privacy.

Cookie Status doesn't use browser cookies, localStorage, or IndexedDB.

sessionStorage is used to add some functionality to navigation (marking visited pages, highlighting search terms).

Nothing in browser storage is sent to any third parties at any time.

If you see anything contrary to the above, please raise an issue about this.

4. Why are you collecting data to Google Analytics?

Cookie Status collects a simple pageview hit from the page loads that happen on https://www.cookiestatus.com/. This is simply to gauge the relative “usage” of different parts of the site.

The payload uses an obfuscated User-Agent string, the IP address is anonymized (by removing the last octet before it hits the GA reports), and no persistent identifiers are used or stored.