cookies
Enables extensions to get and set cookies, and be notified when they change.
Permissions
To use this API, an add-on must specify the "cookies" API permission in its manifest.json file, along with host permissions for any sites for which it wishes to access cookies. The add-on may read or write any cookies which could be read or written by a URL matching the host permissions. For example:
http://*.example.com/
-
An add-on with this host permission may:
- Read a non-secure cookie for
www.example.com
, with any path. - Write a secure or non-secure cookie for
www.example.com
, with any path.
It may not:
- Read a secure cookie for
www.example.com
.
- Read a non-secure cookie for
http://www.example.com/
-
An add-on with this host permission may:
- Read a non-secure cookie for
www.example.com
, with any path. - Read a non-secure cookie for
.example.com
, with any path. - Write a secure or non-secure cookie for
www.example.com
with any path. - Write a secure or non-secure cookie for
.example.com
with any path.
It may not:
- Read or write a cookie for
foo.example.com
. - Read or write a cookie for
foo.www.example.com
.
- Read a non-secure cookie for
*://*.example.com/
-
An add-on with this host permission may:
- Read or write a secure or non-secure cookie for
www.example.com
with any path.
- Read or write a secure or non-secure cookie for
Tracking protection
Trackers use third-party cookies, that is, cookies set by a website other than the one you are on, to identify the websites you visit. For example:
- You visit
a-shopping-site.com
, which usesad-tracker.com
to deliver its adverts on the web.ad-tracker.com
sets a cookie associated with thead-tracker.com
domain. While you are ona-shopping-site.com
,ad-tracker.com
receives information about the products you browse. - You now visit
a-news-site.com
that usesad-tracker.com
to deliver adverts.ad-tracker.com
read its cookie and use the information collected froma-shopping-site.com
to decide which adverts to display to you.
Firefox includes features to prevent tracking. These features separate cookies so that trackers cannot make an association between websites visited. So, in the preceding example, ad-tracker.com
cannot see the cookie created on a-news-site.com
when visiting a-shopping-site.com
. The first iteration of this protection was first-party isolation which is now being superseded by dynamic partitioning.
Note: First-party isolation and dynamic partitioning will not be active at the same time. If the user or an extension turns on first-party isolation, it takes precedence over dynamic partitioning. However, when private browsing uses dynamic partitioning, normal browsing may not be partitioning cookies. See Status of partitioning in Firefox, for details.
Storage partitioning
When using dynamic partitioning, Firefox partitions the storage accessible to JavaScript APIs by top-level site while providing appropriate access to unpartitioned storage to enable common use cases. This feature is being rolled out progressively. See Status of partitioning in Firefox, for implementation details.
Storage partitions are keyed by the schemeful URL of the top-level website and, when dynamic partitioning is active, the key value is available through the partitionKey.topLevelSite
property in the cookies API, for example, partitionKey: {topLevelSite: "http://site"}
.
Generally, top-level documents are in unpartitioned storage, while third-party iframes are in partitioned storage. If a partition key cannot be determined, the default (unpartitioned storage) is used. For example, while all HTTP(S) sites can be used as a partition key, moz-extension:-
URLs cannot. Therefore, iframes in Firefox's extension documents do not use partitioned storage.
By default, cookies.get()
, cookies.getAll()
, cookies.set()
, and cookies.remove()
work with cookies in unpartitioned storage. To work with cookies in partitioned storage in these APIs, topLevelSite
in partitionKey
must be set. The exception is getAll
where setting partitionKey
without topLevelSite
returns cookies in partitioned and unpartitioned storage. cookies.onChanged
fires for any cookie that the extension can access, including cookies in partitioned storage. To ensure that the correct cookie is modified, extensions should read the cookie.partitionKey
property from the event and pass its value to cookies.set()
and cookies.remove()
.
First-party isolation
When first-party isolation is on, cookies are qualified by the domain of the original page the user visited (essentially, the domain shown to the user in the URL bar, also known as the "first party domain").
First-party isolation can be enabled by the user by adjusting the browser's configuration and set by extensions using the firstPartyIsolate
setting in the privacy
API. Note that first-party isolation is enabled by default in Tor Browser.
In the cookies
API, the first party domain is represented using the firstPartyDomain
attribute. All cookies set while first-party isolation is on have this attribute set to the domain of the original page. In the preceding example, this is a-shopping-site.com
for one cookie and a-news-site.com
for the other. When first-party isolation is off, all cookies set by websites have this property set to an empty string.
The cookies.get()
, cookies.getAll()
, cookies.set()
and cookies.remove()
APIs all accept a firstPartyDomain
option.
When first-party isolation is on, you must provide this option or the API call will fail and return a rejected promise. For get()
, set()
, and remove()
you must pass a string value. For getAll()
, you may also pass null
here, and this will get all cookies, whether or not they have a non-empty value for firstPartyDomain
.
When first-party isolation is off, the firstPartyDomain
parameter is optional and defaults to an empty string. A non-empty string can be used to retrieve or modify first-party isolation cookies. Likewise, passing null
as firstPartyDomain
to getAll()
will return all cookies.
Types
-
Represents information about an HTTP cookie.
-
Represents a cookie store in the browser.
-
Represents the reason a cookie changed.
-
Represents the same-site status of the cookie.
Methods
-
Retrieves information about a single cookie.
-
Retrieves all cookies that match a given set of filters.
-
Sets a cookie with the given cookie data; may overwrite equivalent cookies if they exist.
-
Deletes a cookie by name.
-
Lists all existing cookie stores.
Event handlers
-
Fired when a cookie is set or removed.
Browser compatibility
BCD tables only load in the browser
Example extensions
Note: This API is based on Chromium's chrome.cookies
API. This documentation is derived from cookies.json
in the Chromium code.