Latest Round of Cookie Updates

by Ricardo Cristofolini

On January 21st, the latest round of Cookie updates were released on the major browser players in the market. Although we understand there are many others out there, it’s fair to say these are the ones currently setting the rules.

That being said, here are the updates that you should be aware of.

Firefox – Cookies in 1st party context

All storage will be cleared (more or less) daily from origins that are known trackers and that haven’t received top-level user interaction (including scroll) within the last 45 days. Among other data, Firefox will clear:

  • Network cache and image cache
  • Cookies
  • AppCache
  • DOM push notifications
  • Storage Access permissions granted to the origins
  • Etc

The full list of items and more details on this can be found here.

Brave – Referrer

Updated Brave with less strict referrer policy (now defaults to strict-origin-when-cross-origin instead of removing cross-site referrer altogether).

strict-origin-when-cross-origin or stricter referrer policy in cross-site navigational requests. Example: When clicking a link from https://domain.com/page to https://anotherdomain.com/another-page/, the referer header is set to https://domain.com. Similarly, the document. referrer will be set to https://domain.com once the user lands on anotherdomain.com.

For same-site requests (both navigational and non-navigational), referrers will have a normal behaviour.

Chrome and Edge – Referrer

This information was directly provided by Chrome 85 version but we believe can be applied to both browsers.

Sets the default referrer policy to strict-origin-when-cross-origin. This means that for cross-origin requests (e.g. sub.domain.com to othersub.domain.com, or sub.domain.com to sub.otherdomain.com) the referer HTTP header and document.referrer JavaScript API are truncated to show just the origin of the website making the request. Thus a page such as https://www.domain.com/some-page?param=value would show up just as https://www.domain.com in the referrer records.

Safari – Others

Purge all site data from classified domains if no user interaction (or Storage Access API grant) in first-party context has been recorded in the last 30 days. WebKit browsers also delete all site data (script-writable storage, all cookies) if the site domain has been classified by ITP and if there has been no meaningful interaction with the site in first-party context in the last 30 days. Granted access through Storage Access API resets the timer as well. This is the latest information, but because Safari is the lead on this Cookie Status world, we can’t exclude other important updates that happened before.

Safari also protects against first-party bounce tracking. Bounce tracking happens when instead of navigating the user directly to the target domain, the user is redirected through intermediate domains which can set cookies and build a profile of the user. Intelligent Tracking Prevention detects when domains are used solely for bounce tracking and clears all website data that might have been saved on them.

Similarly, Safari protects against tracker collusion, where multiple tracking domains in a redirect chain can feed information to each other to build a comprehensive profile of the user. If one domain in this chain is classified as having cross-site tracking capabilities, then all domains in the redirect chain will be classified as well.

With Safari 14, WebKit’s tracking preventions are extended to all browsers running on the iOS platform. There is no way for the browser or any app using the browser to toggle these protections off. Only the user can opt-out of cross-site tracking protections.

Conclusion

Not a lot of updates, but we’ll keep you posted as new changes come out. Based on how things are going, soon enough we will be living in the much-talked-about cookieless world.

Ricardo Cristofolini

Implementation Specialist

I’m passionate about what I do. If you meet my manager or co-workers, they would say I’m a team player, engaged and always excited to learn something new. Like everyone else I have some flaws. However I’m not afraid to work around those to bring the best in myself and for the company.

See more posts from Ricardo