Cookie Status

The cookiestatus.com website is a knowledge sharing resource for the various tracking protection mechanisms implemented by the major browsers and browser engines.

For more information about the service, please consult the FAQ.

Please submit suggestions and corrections as issues in the GitHub project. Click here to find your way.

Current status

Changes added in the latest release of each browser are indicated with yellow highlight. You can click the icon to be redirected to the respective section in each browser's own “Current Status” page.

Last updated: 13 July 2020
Note about all iOS browsers now having WebKit's tracking preventions on by default.
Move Cliqz to last in the list, note about sunset.

Suggest an edit

Toggle full screen

Brave Chrome Edge Firefox Safari Cliqz
Mechanism Shields n/a Tracking prevention Enhanced Tracking Protection (ETP) Intelligent Tracking Prevention (ITP) Anti-Tracking
Deployed in 0.55.18 n/a 78.0.276.8 69.0 Safari 11 1.30.0
Latest release Link Link Link Link Link Link
Default protection mode Default Shield settings n/a Balanced Standard ITP enabled Default Anti-Tracking settings
Classification of “known trackers” Multiple filter lists n/a Trust Protection Lists (with engagement and organization mitigation) Disconnect.me Algorithmic Algorithmic
Cookies in 3rd party context All access restricted. No restrictions. Access restricted for known trackers. Access restricted for known trackers.

All access restricted, except with Storage Access API.

Access restricted for known trackers, with mitigations for user interaction and critical flows (e.g. some oAuth implementations).

Cookies set on tracker origins without first-party interaction expire in 1 hour.

Cookies in 1st party context

For cookies set with document.cookie, expiration set to 7 days.

Otherwise maximum expiry set to 6 months.

No restrictions. No restrictions. No restrictions.

For cookies set with document.cookie, expiration set to 7 days.

For cookies set with document.cookie, expiration set to 24 hours on pages with URL decoration (query parameters or fragments) when referring domain is a known tracker.

Cookies set on tracker domains with infrequent first-party interaction expire in 7 days. Otherwise expiration set to 30 days after last visit to site.

Cookies set with document.cookie have a maximum expiration of 7 days.

Other browser storage in 3rd party context No restrictions. No restrictions.

Access restricted for known trackers.

No restrictions for other domains.

localStorage and IndexedDB restricted for known trackers.

sessionStorage is not restricted.

No restrictions for other domains.

localStorage is partitioned and reset between application launches.

IndexedDB is restricted.

sessionStorage is not restricted.

No restrictions.
Other browser storage in 1st party context No restrictions. No restrictions. No restrictions. No restrictions. Restricted to 7 days since last interaction (click, tap, text input) with the site. No restrictions.
Referrer

Cross-site referrers are spoofed (set to the referred-to rather than the referred-from origin) in non-navigational HTTP requests.

Cross-site referrers are stripped in navigational HTTP requests.

Same-site navigation preserves the referrer.

Default browser policy (no-referrer-when-downgrade) Default browser policy (no-referrer-when-downgrade) Default browser policy (no-referrer-when-downgrade)

Downgrade cross-site document.referrer to origin.

Downgrade all cross-site request headers to origin.

For referrers that are known trackers, where the referring page also has URL decoration (query parameters or fragments), document.referrer is downgraded to eTLD+1.

Strip all cross-origin referrers to origin.
Other

Removes known tracking parameters (fbclid, gclid, msclkid, mc_eid) from URL query strings.

Randomize HTML canvas fingerprints by first-party domain.

n/a n/a Automatically block requests to tracking domains that are also listed in the Fingerprinting category of the Disconnect.me list.

Detect delays in bounce trackers and treat them as regular bounces.

Extend WebKit's tracking protections to all browsers running on iOS 14 and newer. These protections can only be disabled by the user.

Algorithmically identify and purge unique user identifiers from requests to third-party domains.

The Cliqz project has been shut down.

Bubbling under

Last updated: 13 July 2020

FAQ

1. Why does this resource exist?

Web browsers are going through fairly momentous shifts in order to better respond to the increasing number of data breaches and cases of data misuse by third parties.

Unfortunately, each browser (and the underlying browser engine) seems to have their own interpretation of how to best tackle the problem, which leads to a diverse set of features across the browser landscape.

What's worse, the information about how these tracking protection mechanisms are deployed is all over the place: in release notes, in developer documentation, in Twitter threads, in working groups, in feature drafts, in bug patches, etc.

The purpose of the Cookie Status resource is to (attempt to) collect this information in one place for easy access and perusal.

There is no commercial agenda behind this project. In fact, there is no agenda other than knowledge transfer.

2. Why only these browsers?

Just to kick things off. Hopefully the open-source nature of this project will invite others to contribute details about browsers that are doing significant work with regard to user privacy.

Cookie Status doesn't use browser cookies, localStorage, or IndexedDB.

sessionStorage is used to add some functionality to navigation (marking visited pages, highlighting search terms).

Nothing in browser storage is sent to any third parties at any time.

If you see anything contrary to the above, please raise an issue about this.

4. Why are you collecting data to Google Analytics?

Cookie Status collects a simple pageview hit from the page loads that happen on https://www.cookiestatus.com/. This is simply to gauge the relative “usage” of different parts of the site.

The payload uses an obfuscated User-Agent string, the IP address is anonymized (by removing the last octet before it hits the GA reports), and no persistent identifiers are used or stored.