cookies

Enables extensions to get and set cookies, and be notified when they change.

Permissions

To use this API, an add-on must specify the "cookies" API permission in its manifest.json file, along with host permissions for any sites for which it wishes to access cookies. The add-on may read or write any cookies which could be read or written by a URL matching the host permissions. For example:

http://*.example.com/

An add-on with this host permission may:

  • Read a non-secure cookie for www.example.com, with any path.
  • Write a secure or non-secure cookie for www.example.com, with any path.

It may not:

  • Read a secure cookie for www.example.com.
http://www.example.com/

An add-on with this host permission may:

  • Read a non-secure cookie for www.example.com, with any path.
  • Read a non-secure cookie for .example.com, with any path.
  • Write a secure or non-secure cookie for www.example.com with any path.
  • Write a secure or non-secure cookie for .example.com with any path.

It may not:

  • Read or write a cookie for foo.example.com.
  • Read or write a cookie for foo.www.example.com.
*://*.example.com/

An add-on with this host permission may:

  • Read or write a secure or non-secure cookie for www.example.com with any path.

Tracking protection

Trackers use third-party cookies, that is, cookies set by a website other than the one you are on, to identify the websites you visit. For example:

  1. You visit a-shopping-site.com, which uses ad-tracker.com to deliver its adverts on the web. ad-tracker.com sets a cookie associated with the ad-tracker.com domain. While you are on a-shopping-site.com, ad-tracker.com receives information about the products you browse.
  2. You now visit a-news-site.com that uses ad-tracker.com to deliver adverts. ad-tracker.com read its cookie and use the information collected from a-shopping-site.com to decide which adverts to display to you.

Firefox includes features to prevent tracking. These features separate cookies so that trackers cannot make an association between websites visited. So, in the preceding example, ad-tracker.com cannot see the cookie created on a-news-site.com when visiting a-shopping-site.com. The first iteration of this protection was first-party isolation which is now being superseded by dynamic partitioning.

Note: First-party isolation and dynamic partitioning will not be active at the same time. If the user or an extension turns on first-party isolation, it takes precedence over dynamic partitioning. However, when private browsing uses dynamic partitioning, normal browsing may not be partitioning cookies. See Status of partitioning in Firefox, for details.

Storage partitioning

When using dynamic partitioning, Firefox partitions the storage accessible to JavaScript APIs by top-level site while providing appropriate access to unpartitioned storage to enable common use cases. This feature is being rolled out progressively. See Status of partitioning in Firefox, for implementation details.

Storage partitions are keyed by the schemeful URL of the top-level website and, when dynamic partitioning is active, the key value is available through the partitionKey.topLevelSite property in the cookies API, for example, partitionKey: {topLevelSite: "http://site"}.

Generally, top-level documents are in unpartitioned storage, while third-party iframes are in partitioned storage. If a partition key cannot be determined, the default (unpartitioned storage) is used. For example, while all HTTP(S) sites can be used as a partition key, moz-extension:- URLs cannot. Therefore, iframes in Firefox's extension documents do not use partitioned storage.

By default, cookies.get(), cookies.getAll(), cookies.set(), and cookies.remove() work with cookies in unpartitioned storage. To work with cookies in partitioned storage in these APIs, topLevelSite in partitionKey must be set. The exception is getAll where setting partitionKey without topLevelSite returns cookies in partitioned and unpartitioned storage. cookies.onChanged fires for any cookie that the extension can access, including cookies in partitioned storage. To ensure that the correct cookie is modified, extensions should read the cookie.partitionKey property from the event and pass its value to cookies.set() and cookies.remove().

First-party isolation

When first-party isolation is on, cookies are qualified by the domain of the original page the user visited (essentially, the domain shown to the user in the URL bar, also known as the "first party domain").

First-party isolation can be enabled by the user by adjusting the browser's configuration and set by extensions using the firstPartyIsolate setting in the privacy API. Note that first-party isolation is enabled by default in Tor Browser.

In the cookies API, the first party domain is represented using the firstPartyDomain attribute. All cookies set while first-party isolation is on have this attribute set to the domain of the original page. In the preceding example, this is a-shopping-site.com for one cookie and a-news-site.com for the other. When first-party isolation is off, all cookies set by websites have this property set to an empty string.

The cookies.get(), cookies.getAll(), cookies.set() and cookies.remove() APIs all accept a firstPartyDomain option.

When first-party isolation is on, you must provide this option or the API call will fail and return a rejected promise. For get(), set(), and remove() you must pass a string value. For getAll(), you may also pass null here, and this will get all cookies, whether or not they have a non-empty value for firstPartyDomain.

When first-party isolation is off, the firstPartyDomain parameter is optional and defaults to an empty string. A non-empty string can be used to retrieve or modify first-party isolation cookies. Likewise, passing null as firstPartyDomain to getAll() will return all cookies.

Types

cookies.Cookie

Represents information about an HTTP cookie.

cookies.CookieStore

Represents a cookie store in the browser.

cookies.OnChangedCause

Represents the reason a cookie changed.

cookies.SameSiteStatus

Represents the same-site status of the cookie.

Methods

cookies.get()

Retrieves information about a single cookie.

cookies.getAll()

Retrieves all cookies that match a given set of filters.

cookies.set()

Sets a cookie with the given cookie data; may overwrite equivalent cookies if they exist.

cookies.remove()

Deletes a cookie by name.

cookies.getAllCookieStores()

Lists all existing cookie stores.

Event handlers

cookies.onChanged

Fired when a cookie is set or removed.

Browser compatibility

BCD tables only load in the browser

Example extensions

Note: This API is based on Chromium's chrome.cookies API. This documentation is derived from cookies.json in the Chromium code.