Cookies | 2024 | The Web Almanac by HTTP Archive

<!doctype html> <html lang="en" > <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Cookies | 2024 | The Web Almanac by HTTP Archive</title> <link rel="stylesheet" href="/static/css/normalize.css?v=3a712a3381a95c0a7b7c6ed3aa03b911"> <link rel="stylesheet" href="/static/css/almanac.css?v=1653be48f4c6c63139a92045bbc0a5c5"> <link rel="stylesheet" href="/static/css/page.css?v=09bfe6babea9027e32ffe7ccfa9f6f4c"> <link rel="preload" href="/static/fonts/Lato-Regular.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/static/fonts/Poppins-Bold.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/static/fonts/Lato-Black.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/static/fonts/Lato-Bold.woff2" as="font" type="font/woff2" crossorigin> <script nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"> window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date()); gtag('config', 'UA-22381566-3', { 'link_attribution': true }); gtag('config', 'G-PQ5N2MZG5M'); </script> <link rel="shortcut icon" href="/static/images/favicon.ico"> <link rel="apple-touch-icon" href="/static/images/apple-touch-icon.png"> <meta name="description" content="Cookies chapter of the 2024 Web Almanac covering the prevalence and structure of cookies on the web."> <meta property="og:title" content="Cookies | 2024 | The Web Almanac by HTTP Archive"> <meta property="og:url" content="https://almanac.httparchive.org/en/2024/cookies"> <meta property="og:image" content="https://almanac.httparchive.org/static/images/2024/cookies/hero_lg.jpg"> <meta property="og:image:height" content="433"> <meta property="og:image:width" content="866"> <meta property="og:type" content="article"> <meta property="og:description" content="Cookies chapter of the 2024 Web Almanac covering the prevalence and structure of cookies on the web."> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@HTTPArchive"> <meta name="twitter:title" content="Cookies | 2024 | The Web Almanac by HTTP Archive"> <meta name="twitter:image" content="https://almanac.httparchive.org/static/images/2024/cookies/hero_lg.jpg"> <meta name="twitter:image:alt" content="Chapter image for the Cookies chapter of the 2024 Web Almanac"> <meta name="twitter:description" content="Cookies chapter of the 2024 Web Almanac covering the prevalence and structure of cookies on the web."> <link rel="webmention" href="https://webmention.io/almanac.httparchive.org/webmention"> <link rel="pingback" href="https://webmention.io/almanac.httparchive.org/xmlrpc"> <link rel="me" href="mailto:team@httparchive.org"> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://almanac.httparchive.org/en/2024/cookies" }, "headline": "Cookies | 2024 | The Web Almanac by HTTP Archive", "image": { "@type": "ImageObject", "url": "https://almanac.httparchive.org/static/images/2024/cookies/hero_lg.jpg", "height": 433, "width": 866 }, "publisher": { "@type": "Organization", "name": "HTTP Archive", "logo": { "@type": "ImageObject", "url": "https://almanac.httparchive.org/static/images/ha.png", "height": 160, "width": 320 }, "sameAs": [ "https://httparchive.org", "https://x.com/HTTPArchive", "https://bsky.app/profile/httparchive.org", "https://github.com/HTTPArchive" ] }, "author": [{ "@type": "Person", "sameAs": [ "https://almanac.httparchive.org/en/2024/contributors#yohhaan" ,"https://github.com/yohhaan" ], "name": "Yohan Beugin" },{ "@type": "Person", "sameAs": [ "https://almanac.httparchive.org/en/2024/contributors#samdutton" ,"https://x.com/sw12" ,"https://github.com/samdutton" ], "name": "Sam Dutton" },{ "@type": "Person", "sameAs": [ "https://almanac.httparchive.org/en/2024/contributors#ydimova" ,"https://github.com/ydimova" ], "name": "Yana Dimova" }] , "description": "Cookies chapter of the 2024 Web Almanac covering the prevalence and structure of cookies on the web.", "datePublished": "2024-11-11T00:00:00.000Z", "dateModified": "2024-11-16T00:00:00.000Z" } </script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "en", "item": "https://almanac.httparchive.org/en/" },{ "@type": "ListItem", "position": 2, "name": "2024", "item": "https://almanac.httparchive.org/en/2024" }] } </script> <meta name="citation_title" content="The 2024 Web Almanac: Cookies"> <meta name="citation_author" content="Yohan Beugin"> <meta name="citation_author" content="Sam Dutton"> <meta name="citation_author" content="Yana Dimova"> <meta name="citation_publication_date" content="2024/11/11"> <meta name="citation_journal_title" content="The 2024 Web Almanac"> <meta name="citation_volume" content="6"> <meta name="citation_issue" content="21"> <meta name="citation_publisher" content="HTTP Archive"> <meta name="citation_technical_report_institution" content="HTTP Archive"> <meta name="citation_language" content="English"> <meta name="citation_fulltext_html_url" content="https://almanac.httparchive.org/en/2024/cookies"> <link rel="canonical" href="https://almanac.httparchive.org/en/2024/cookies"> <link rel="alternate" type="application/rss+xml" title="Web Almanac by HTTP Archive RSS (en)" href="/en/rss.xml"> </head> <body class="year-2024"> <svg xmlns="http://www.w3.org/2000/svg" width="0" height="0" display="none">  <symbol id="ha-logo" viewBox="0 0 432 225"> <path d="M10.626 7.433h14.5v47.5c6-7.4 13.5-11 22.5-11 4.9 0 9.2 1.2 13.1 3.7 3.9 2.4 6.7 5.8 8.6 10.1 1.9 4.3 2.9 10.7 2.9 19.1v41.6h-14.6v-45.2c0-5.3-1.3-9.6-4-12.9-2.6-3.3-6-4.9-10.3-4.9-3.2 0-6.2.8-9 2.5-2.8 1.6-5.9 4.4-9.3 8.2v52.4h-14.4V7.433m66.4 49.5l27.2-26.7v15.1h23.1v13h-23.1v35.8c0 8.4 3.5 12.6 10.4 12.6 5.2 0 10.7-1.7 16.4-5.2v13.5c-5.6 3.1-11.6 4.7-18.2 4.7s-12.1-1.9-16.5-5.8c-1.4-1.2-2.5-2.5-3.4-3.9-.9-1.5-1.7-3.4-2.3-5.7-.6-2.4-.9-6.9-.9-13.5v-32.5h-12.7v-1.4m54.3 0l27.2-26.7v15.1h23.1v13h-23.1v35.8c0 8.4 3.5 12.6 10.4 12.6 5.2 0 10.7-1.7 16.4-5.2v13.5c-5.6 3.1-11.6 4.7-18.2 4.7s-12.1-1.9-16.5-5.8c-1.4-1.2-2.5-2.5-3.4-3.9-.9-1.5-1.7-3.4-2.3-5.7-.6-2.4-.9-6.9-.9-13.5v-32.5h-12.7v-1.4M212.8 30.1l-27.2 26.7v1.4h39c6.1.2 10.6 1.5 13.9 3.1 3.5 1.6 6.3 4.3 8.3 7.9 2.1 3.7 3.1 7.9 3.1 12.7 0 7.4-2.2 13.5-6.5 18.2-4.3 4.7-9.8 7.1-16.6 7.1-2.8 0-5.5-.4-8.2-1.1v12.3c3.4.9 6.7 1.3 9.7 1.3 10.5 0 19.2-3.5 26-10.6 6.8-7 10.2-16 10.3-27 0-11.6-3.6-20.6-10.9-27.1-7.1-6.4-17.1-9.6-29.8-9.7h-.4l-10.6-.1V30.1z" fill="currentColor" /> <path d="M198 63.7c0 52.2-.1 108.8-.1 154.7h14.8v-52.5c3.4-3.8 6.1-6.4 8.9-8 2.8-1.6 5.8-2.4 9-2.4 4.3 0 7.7 1.6 10.3 4.9 2.6 3.2 4 7.5 4 12.9v45.2h14.5v-41.6c0-8.5-.9-14.9-2.8-19.2-1.9-4.3-4.7-7.7-8.6-10.1-3.9-2.4-8.3-3.7-13.1-3.7-8.8 0-16.1 3.5-22.1 10.6v-53.1c.1-12.5 0-25.1 0-37.7H198zM55.9 174.5v31.1c0 2.5.8 3.7 2.5 3.7s4.5-1.3 8.2-3.9v8.8c-3.3 2.1-5.9 3.5-7.9 4.3-2 .8-4 1.2-6.2 1.2-6.2 0-9.9-2.4-11-7.3-6.1 4.8-12.7 7.2-19.6 7.2-5.1 0-9.3-1.7-12.7-5-3.4-3.4-5.1-7.6-5.1-12.7 0-4.6 1.6-8.7 4.9-12.3 3.3-3.7 8.1-6.5 14.1-8.7l18.5-6.4v-3.9c0-8.8-4.4-13.2-13.2-13.2-7.9 0-15.6 4.1-23 12.2v-15.8c5.6-6.6 13.7-9.9 24.2-9.9 7.9 0 14.2 2.1 19 6.2 1.6 1.3 3 3.1 4.3 5.3 1.3 2.2 2.1 4.4 2.4 6.6.4 2.2.6 6.3.6 12.5m-14.2 29.4v-21.7L32 186c-4.9 2-8.4 3.9-10.5 6-2 2-3 4.4-3 7.4s1 5.5 2.9 7.4c2 1.9 4.5 2.9 7.5 2.9 4.6-.1 8.8-2 12.8-5.8M90 145.3v16.8l.8-1.3c7-11.3 14-16.9 21-16.9 5.5 0 11.1 2.8 17.1 8.3l-7.6 12.7c-5-4.8-9.7-7.2-14-7.2-4.7 0-8.7 2.2-12.2 6.7-3.4 4.4-5.1 9.7-5.1 15.8v38.2H75.5v-73.1H90m96.9 56v14.3c-7.3 2.7-14.4 4.1-21.3 4.1-11.4 0-20.6-3.4-27.4-10.2-6.8-6.8-10.2-15.9-10.2-27.3 0-11.5 3.3-20.8 9.9-27.8 6.6-7 15.3-10.6 26.1-10.6 3.8 0 7.1.4 10.1 1.1 3 .7 6.7 2 11.1 4v15.4c-7.3-4.7-14.1-7-20.3-7-6.5 0-11.9 2.3-16 6.9-4.2 4.6-6.3 10.4-6.3 17.5 0 7.5 2.3 13.4 6.8 17.8 4.6 4.4 10.7 6.6 18.4 6.6 5.5.1 11.9-1.5 19.1-4.8m93.2-86.7c2.4 0 4.4.8 6.1 2.5 1.7 1.6 2.5 3.7 2.5 6s-.8 4.3-2.5 6c-1.7 1.7-3.7 2.5-6.1 2.5-2.2 0-4.2-.8-5.9-2.5-1.7-1.7-2.5-3.8-2.5-6s.8-4.2 2.5-5.9c1.7-1.8 3.7-2.6 5.9-2.6m-7.2 30.7h14.5v73.1h-14.5v-73.1m75 0h15.7l-32.3 74.4h-4.8l-33.1-74.4h15.8l19.7 45 19-45m78.8 37.8h-51.4c.4 7 2.7 12.6 7 16.7s9.9 6.2 16.8 6.2c9.5 0 18.3-3 26.4-8.9v14.1c-4.4 3-8.9 5.1-13.3 6.4-4.3 1.3-9.5 1.9-15.3 1.9-8.1 0-14.6-1.7-19.5-5-5-3.3-9-7.8-12-13.4-3-5.7-4.4-12.2-4.4-19.6 0-11.1 3.2-20.2 9.5-27.1 6.3-7 14.5-10.5 24.6-10.5 9.7 0 17.4 3.4 23.2 10.2 5.8 6.8 8.7 15.9 8.7 27.3v1.7m-51.4-8.6h36.8c-.4-5.8-2.1-10.2-5.2-13.3-3.1-3.1-7.2-4.7-12.4-4.7s-9.5 1.6-12.8 4.7c-3.2 3-5.4 7.5-6.4 13.3" fill="currentColor" /> </symbol>  <symbol id="github-logo" viewBox="0 0 32.6 31.8"> <path d="M16.3 0C7.3 0 0 7.3 0 16.3c0 7.2 4.7 13.3 11.1 15.5.8.1 1.1-.4 1.1-.8v-2.8c-4.5 1-5.5-2.2-5.5-2.2-.7-1.9-1.8-2.4-1.8-2.4-1.5-1 .1-1 .1-1 1.6.1 2.5 1.7 2.5 1.7 1.5 2.5 3.8 1.8 4.7 1.4.1-1.1.6-1.8 1-2.2-3.6-.4-7.4-1.8-7.4-8.1 0-1.8.6-3.2 1.7-4.4-.1-.3-.7-2 .2-4.2 0 0 1.4-.4 4.5 1.7 1.3-.4 2.7-.5 4.1-.5 1.4 0 2.8.2 4.1.5 3.1-2.1 4.5-1.7 4.5-1.7.9 2.2.3 3.9.2 4.3 1 1.1 1.7 2.6 1.7 4.4 0 6.3-3.8 7.6-7.4 8 .6.5 1.1 1.5 1.1 3V31c0 .4.3.9 1.1.8 6.5-2.2 11.1-8.3 11.1-15.5C32.6 7.3 25.3 0 16.3 0z" fill-rule="evenodd" clip-rule="evenodd" fill="currentColor" /> </symbol>  <symbol id="twitter-logo" viewBox="0 0 300 271"> <path xmlns="http://www.w3.org/2000/svg" d="m236 0h46l-101 115 118 156h-92.6l-72.5-94.8-83 94.8h-46l107-123-113-148h94.9l65.5 86.6zm-16.1 244h25.5l-165-218h-27.4z" fill="currentColor" /> </symbol>  <symbol id="linkedin-logo" viewBox="0 0 200 200"> <path d="M185.2 0H14.8C6.6 0 0 6.4 0 14.3v171.3c0 7.9 6.6 14.3 14.8 14.3h170.4c8.1 0 14.8-6.4 14.8-14.3V14.3C199.9 6.4 193.3 0 185.2 0zM60.6 167.3H30.4V77.1h30.2v90.2zM45.5 64.8h-.2c-10.1 0-16.7-6.9-16.7-15.6 0-8.8 6.7-15.6 17.1-15.6 10.3 0 16.7 6.7 16.9 15.6 0 8.6-6.5 15.6-17.1 15.6zm124 102.5h-30.2V119c0-12.1-4.4-20.4-15.3-20.4-8.4 0-13.3 5.6-15.5 11-.8 1.9-1 4.6-1 7.3v50.4H77.3s.4-81.8 0-90.3h30.2v12.8c4-6.1 11.2-14.9 27.2-14.9 19.9 0 34.8 12.9 34.8 40.6v51.8zm-62.2-77.1c0-.1.1-.2.2-.3v.3h-.2z" fill="currentColor" /> </symbol>  <symbol id="mastodon-logo" viewBox="0 0 61 65"> <path d="M60.7539 14.3904C59.8143 7.40642 53.7273 1.90257 46.5117 0.836066C45.2943 0.655854 40.6819 0 29.9973 0H29.9175C19.2299 0 16.937 0.655854 15.7196 0.836066C8.70488 1.87302 2.29885 6.81852 0.744617 13.8852C-0.00294988 17.3654 -0.0827298 21.2237 0.0561464 24.7629C0.254119 29.8384 0.292531 34.905 0.753482 39.9598C1.07215 43.3175 1.62806 46.6484 2.41704 49.9276C3.89445 55.9839 9.87499 61.0239 15.7344 63.0801C22.0077 65.2244 28.7542 65.5804 35.2184 64.1082C35.9295 63.9428 36.6318 63.7508 37.3252 63.5321C38.8971 63.0329 40.738 62.4745 42.0913 61.4937C42.1099 61.4799 42.1251 61.4621 42.1358 61.4417C42.1466 61.4212 42.1526 61.3986 42.1534 61.3755V56.4773C42.153 56.4557 42.1479 56.4345 42.1383 56.4151C42.1287 56.3958 42.1149 56.3788 42.0979 56.3655C42.0809 56.3522 42.0611 56.3429 42.04 56.3382C42.019 56.3335 41.9971 56.3336 41.9761 56.3384C37.8345 57.3276 33.5905 57.8234 29.3324 57.8156C22.0045 57.8156 20.0336 54.3384 19.4693 52.8908C19.0156 51.6397 18.7275 50.3346 18.6124 49.0088C18.6112 48.9866 18.6153 48.9643 18.6243 48.9439C18.6333 48.9236 18.647 48.9056 18.6643 48.8915C18.6816 48.8774 18.7019 48.8675 18.7237 48.8628C18.7455 48.858 18.7681 48.8585 18.7897 48.8641C22.8622 49.8465 27.037 50.3423 31.2265 50.3412C32.234 50.3412 33.2387 50.3412 34.2463 50.3146C38.4598 50.1964 42.9009 49.9808 47.0465 49.1713C47.1499 49.1506 47.2534 49.1329 47.342 49.1063C53.881 47.8507 60.1038 43.9097 60.7362 33.9301C60.7598 33.5372 60.8189 29.8148 60.8189 29.4071C60.8218 28.0215 61.2651 19.5781 60.7539 14.3904Z" fill="currentColor"/> <path d="M50.3943 22.237V39.5876H43.5185V22.7481C43.5185 19.2029 42.0411 17.3949 39.036 17.3949C35.7325 17.3949 34.0778 19.5338 34.0778 23.7585V32.9759H27.2434V23.7585C27.2434 19.5338 25.5857 17.3949 22.2822 17.3949C19.2949 17.3949 17.8027 19.2029 17.8027 22.7481V39.5876H10.9298V22.237C10.9298 18.6918 11.835 15.8754 13.6453 13.7877C15.5128 11.7049 17.9623 10.6355 21.0028 10.6355C24.522 10.6355 27.1813 11.9885 28.9542 14.6917L30.665 17.5633L32.3788 14.6917C34.1517 11.9885 36.811 10.6355 40.3243 10.6355C43.3619 10.6355 45.8114 11.7049 47.6847 13.7877C49.4931 15.8734 50.3963 18.6899 50.3943 22.237Z" fill="white"/> </symbol>  <symbol id="bluesky-logo" viewBox="0 0 600 530"> <path d="m135.72 44.03c66.496 49.921 138.02 151.14 164.28 205.46 26.262-54.316 97.782-155.54 164.28-205.46 47.98-36.021 125.72-63.892 125.72 24.795 0 17.712-10.155 148.79-16.111 170.07-20.703 73.984-96.144 92.854-163.25 81.433 117.3 19.964 147.14 86.092 82.697 152.22-122.39 125.59-175.91-31.511-189.63-71.766-2.514-7.3797-3.6904-10.832-3.7077-7.8964-0.0174-2.9357-1.1937 0.51669-3.7077 7.8964-13.714 40.255-67.233 197.36-189.63 71.766-64.444-66.128-34.605-132.26 82.697-152.22-67.108 11.421-142.55-7.4491-163.25-81.433-5.9562-21.282-16.111-152.36-16.111-170.07 0-88.687 77.742-60.816 125.72-24.795z" fill="currentColor"/> </symbol>  <symbol id="globe-logo" viewBox="0 0 30 30"> <circle cx="14.5" cy="14.5" r="13.5" stroke-width="2" stroke-miterlimit="10" fill="none" stroke="currentColor" /> <ellipse cx="14.5" cy="14.5" rx="6.1" ry="13.5" stroke-width="2" stroke-miterlimit="10" fill="none" stroke="currentColor" /> <path d="M1.6 9.6h25.8M1.6 19.4h25.8" stroke-width="2" stroke-miterlimit="10" fill="none" stroke="currentColor" /> </symbol>  <symbol id="bar-chart-logo" viewBox="0 0 18 19"> <path d="M0 9h3v10H0V9zm5-9h3v19H5V0zm5 7h3v12h-3V7zm5-4h3v16h-3V3z" fill="currentColor" /> </symbol>  <symbol id="comment-logo" viewBox="0 0 22 22.1"> <path d="M4.4 22.1l8-5.1H22V0H0v17h4.4z" fill="currentColor" /> </symbol>  <symbol id="sql-logo" viewBox="0 0 32 14.6"> <path d="M.1 12.4V9.6c.5.4 1.1.8 1.7 1 .6.2 1.2.3 1.8.3.4 0 .7 0 .9-.1s.5-.2.7-.3c.2-.1.3-.2.4-.4.1-.2.1-.3.1-.5s-.1-.5-.2-.7c-.2-.2-.4-.4-.6-.5-.3-.2-.5-.4-.9-.5-.3-.2-.7-.3-1.1-.5-1-.4-1.7-.9-2.2-1.5S0 4.6 0 3.8c0-.7.1-1.2.4-1.7S1 1.2 1.5.9s1-.5 1.6-.7S4.3 0 5 0s1.2 0 1.8.1 1 .2 1.4.4v2.6c-.3-.1-.5-.3-.8-.4s-.5-.2-.7-.2c-.3-.1-.6-.2-.8-.2-.3 0-.5-.1-.7-.1-.3 0-.6 0-.9.1s-.5.2-.7.3c-.2.1-.4.2-.5.4-.1.2-.1.3-.1.5s.1.4.2.6c.1.2.3.3.5.5.1.1.4.3.7.4.3.1.6.3 1 .4.5.2 1 .4 1.4.7.4.2.7.5 1 .8s.5.6.7 1c.2.4.2.8.2 1.3 0 .7-.1 1.3-.4 1.8-.3.6-.7 1-1.1 1.3-.5.3-1 .5-1.6.6s-1.3.2-1.9.2c-.7 0-1.4-.1-2-.2-.6-.1-1.2-.3-1.6-.5zm16 .7c-1.8 0-3.3-.6-4.4-1.8-1.2-1.2-1.7-2.7-1.7-4.6 0-2 .6-3.6 1.7-4.9C12.9.6 14.4 0 16.3 0c1.8 0 3.3.6 4.4 1.8 1.1 1.2 1.7 2.7 1.7 4.7s-.6 3.6-1.7 4.8l-.1.1-.1.1 3.2 3.1h-4L18 12.9c-.6.1-1.2.2-1.9.2zm.1-10.6c-1 0-1.8.4-2.4 1.1-.6.7-.9 1.7-.9 3s.3 2.2.9 3c.6.7 1.4 1.1 2.3 1.1 1 0 1.8-.4 2.3-1.1.6-.7.9-1.7.9-3s-.3-2.3-.8-3.1c-.5-.7-1.3-1-2.3-1zM32 12.9h-7.5V.2h2.8v10.3H32v2.4z" fill="currentColor" /> </symbol>  <symbol id="search-logo" viewBox="0 0 13 13"> <path d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z" fill="currentColor" /> </symbol>  <symbol id="share-apple-logo" viewBox="0 0 24 24"> <path d="M0 0h24v24H0V0z" fill="none" /> <path d="M16 5l-1.42 1.42-1.59-1.59V16h-1.98V4.83L9.42 6.42 8 5l4-4 4 4zm4 5v11c0 1.1-.9 2-2 2H6c-1.11 0-2-.9-2-2V10c0-1.11.89-2 2-2h3v2H6v11h12V10h-3V8h3c1.1 0 2 .89 2 2z" /> </symbol>  <symbol id="share-android-logo" viewBox="0 0 24 24"> <path d="M0 0h24v24H0z" fill="none" /> <path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81 1.66 0 3-1.34 3-3s-1.34-3-3-3-3 1.34-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9c-1.66 0-3 1.34-3 3s1.34 3 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.16c-.05.21-.08.43-.08.65 0 1.61 1.31 2.92 2.92 2.92 1.61 0 2.92-1.31 2.92-2.92s-1.31-2.92-2.92-2.92z" /> </symbol> </svg> <div id="skiptocontent"><a href="#maincontent">Skip navigation</a></div> <header id="header" class="alt-bg"> <div class="container"> <div class="top-header"> <a class="navigation-logo" href="/en/2024/"> <span class="wa">Web Almanac</span> <span class="line-group"> <span class="pre">By</span> <span class="ha">HTTP Archive</span> </span> </a> <nav id="header-page-navigation" aria-label="Page navigation"> <ul> <li><a href="/en/2024/contributors">Contributors</a></li> <li><a href="/en/2024/methodology">Methodology</a></li> <li> <a class="nav-dropdown-btn js-hide" href="/en/search">Search</a> <div class="nav-dropdown header search-nav js-enable hidden"> <button type="button" class="nav-dropdown-btn search-button" aria-expanded="false"> Search </button> <ul class="nav-dropdown-list align-right hidden header-search"> <li class="nav-dropdown-list-part"> <form action="/en/search"> <label for="header-search-box" class="visually-hidden">Search</label> <input id="header-search-box" class="search-input" type="search" name="q" placeholder="Search" title="Search" aria-label="Search"> <button class="search-button" type="submit"> <svg width="13" height="13" role="img" aria-labelledby="header-search-icon"> <title id="header-search-icon">Search</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#search-logo"></use> </svg> </button> </form> </li> </ul> </div> </li> <li> <a class="nav-dropdown-btn js-hide" href="/en/2024/table-of-contents">Table of Contents</a> <div class="nav-dropdown header table-of-contents js-enable hidden"> <button type="button" class="nav-dropdown-btn" aria-expanded="false" aria-label="Table of Contents" > Table of Contents </button> <ul class="nav-dropdown-list hidden header-list"> <li class="nav-dropdown-list-part"> <a href="/en/2024/">Home</a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents">Table of Contents</a> </li> <li class="nav-dropdown-list-chapter foreword"> <a href="/en/2024/table-of-contents#foreword">Foreword</a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-1">Part I. Page Content</a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 1: CSS</span> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 2: JavaScript</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/markup"> Chapter 3: Markup </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/structured-data"> Chapter 4: Structured Data </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/fonts"> Chapter 5: Fonts </a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 6: Media</span> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 7: WebAssembly</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/third-parties"> Chapter 8: Third Parties </a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-2">Part II. User Experience</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/seo"> Chapter 9: SEO </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/accessibility"> Chapter 10: Accessibility </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/performance"> Chapter 11: Performance </a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 12: Privacy</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/security"> Chapter 13: Security </a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-3">Part III. Content Publishing</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/cms"> Chapter 14: CMS </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/ecommerce"> Chapter 15: Ecommerce </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/jamstack"> Chapter 16: Jamstack </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/sustainability"> Chapter 17: Sustainability </a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-4">Part IV. Content Distribution</a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 18: Page Weight</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/cdn"> Chapter 19: CDN </a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 20: HTTP</span> </li> <li class="nav-dropdown-list-chapter nav-dropdown-list-current"> <span> Chapter 21: Cookies </span> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#appendices">Appendices</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/methodology">Methodology</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/contributors">Contributors</a> </li> <li class="nav-dropdown-list-part"> <a href="/en/search">Search</a> </li> </ul> </div> </li> <li> <div class="nav-dropdown header"> <button type="button" class="nav-dropdown-btn js-enable" disabled aria-expanded="false" aria-label="Year Switcher">2024</button> <ul class="nav-dropdown-list hidden header-list"> <li class="unsupported-year"> <a href="/en/2022/">2022 Home</a> </li> <li class="unsupported-year"> <a href="/en/2021/">2021 Home</a> </li> <li class="unsupported-year"> <a href="/en/2020/">2020 Home</a> </li> <li class="unsupported-year"> <a href="/en/2019/">2019 Home</a> </li> </ul> </div> </li> <li> <div class="nav-dropdown header"> <button type="button" class="nav-dropdown-btn js-enable" disabled aria-expanded="false" aria-label="Language Switcher" >English</button> <ul class="nav-dropdown-list hidden header-list"> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/wiki/Translators'-Guide"><em>Help translate</em></a> </li> </ul> </div> </li> </ul> </nav> <nav id="menu" aria-labelledby="menu-btn"> <a href="#footer" class="menu-btn js-hide" aria-label="Page menu"> <span class="menu-btn-bar"></span> <span class="menu-btn-bar"></span> <span class="menu-btn-bar"></span> </a> <button type="button" class="menu-btn js-enable hidden" disabled id="menu-btn" aria-label="Open the menu" aria-expanded="false" data-open-text="Open the menu" data-close-text="Close the menu"> <span class="menu-btn-bar"></span> <span class="menu-btn-bar"></span> <span class="menu-btn-bar"></span> </button> <ul class="menu"> <li><a href="/en/2024/contributors">Contributors</a></li> <li><a href="/en/2024/methodology">Methodology</a></li> <li> <form class="search-nav" action="/en/search"> <label for="mobile-search-box" class="visually-hidden">Search</label> <input id="mobile-search-box" class="search-input" type="search" name="q" placeholder="Search" title="Search" aria-label="Search"> <button class="search-button" type="submit"> <svg width="13" height="13" role="img" aria-labelledby="mobile-search-icon"> <title id="mobile-search-icon">Search</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#search-logo"></use> </svg> </button> </form> </li> <li> <a class="js-hide" href="/en/2024/table-of-contents">Table of Contents</a> <div class="table-of-contents-switcher js-enable hidden"> <label for="table-of-contents-switcher-mobile" class="visually-hidden"> Table of Contents Switcher </label> <select id="table-of-contents-switcher-mobile" data-label="toc-menu-mobile"> <option value="/en/2024/">Home</option> <option value="/en/2024/table-of-contents">Table of Contents</option> <option value="/en/2024/table-of-contents#foreword">Foreword</option> <option disabled> Chapter 1: CSS </option> <option disabled> Chapter 2: JavaScript </option> <option value="/en/2024/markup"> Chapter 3: Markup </option> <option value="/en/2024/structured-data"> Chapter 4: Structured Data </option> <option value="/en/2024/fonts"> Chapter 5: Fonts </option> <option disabled> Chapter 6: Media </option> <option disabled> Chapter 7: WebAssembly </option> <option value="/en/2024/third-parties"> Chapter 8: Third Parties </option> <option value="/en/2024/seo"> Chapter 9: SEO </option> <option value="/en/2024/accessibility"> Chapter 10: Accessibility </option> <option value="/en/2024/performance"> Chapter 11: Performance </option> <option disabled> Chapter 12: Privacy </option> <option value="/en/2024/security"> Chapter 13: Security </option> <option value="/en/2024/cms"> Chapter 14: CMS </option> <option value="/en/2024/ecommerce"> Chapter 15: Ecommerce </option> <option value="/en/2024/jamstack"> Chapter 16: Jamstack </option> <option value="/en/2024/sustainability"> Chapter 17: Sustainability </option> <option disabled> Chapter 18: Page Weight </option> <option value="/en/2024/cdn"> Chapter 19: CDN </option> <option disabled> Chapter 20: HTTP </option> <option disabled selected value="/en/2024/cookies"> Chapter 21: Cookies </option> <option value="/en/2024/methodology"> Methodology </option> <option value="/en/2024/contributors"> Contributors </option> <option value="/en/search"> Search </option> </select> </div> </li> <li> <div class="year-switcher js-show"> <label for="year-switcher-mobile" class="visually-hidden">Year Switcher</label> <select id="year-switcher-mobile"> <option selected="selected" value="/en/2024/cookies"> 2024 </option> <option value="/en/2022/"> 2022 Home </option> <option value="/en/2021/"> 2021 Home </option> <option value="/en/2020/"> 2020 Home </option> <option value="/en/2019/"> 2019 Home </option> </select> </div> </li> <li> <div class="language-switcher js-show"> <label for="language-switcher-mobile" class="visually-hidden">Language Switcher</label> <select id="language-switcher-mobile"> <option selected="selected" lang="en" value="/en/2024/cookies"> English </option> <hr> <option value="https://github.com/HTTPArchive/almanac.httparchive.org/wiki/Translators'-Guide"> Help translate </option> </select> </div> </li> <li id="mobile-misc" class="misc"> <ul class="misc"> <li> <a href="https://httparchive.org/" aria-labelledby="ha-logo-mobile"> <svg width="70" height="35" role="img"> <title id="ha-logo-mobile">HTTP Archive home</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#ha-logo"></use> </svg> </a> </li> <li> <ul class="social-media"> <li> <a href="https://x.com/HTTPArchive" aria-labelledby="twitter-logo-mobile"> <svg width="20" height="20" role="img"> <title id="twitter-logo-mobile">Twitter</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#twitter-logo"></use> </svg> </a> </li> <li> <a href="https://bsky.app/profile/httparchive.org" aria-labelledby="bluesky-logo-mobile"> <svg width="20" height="20" role="img"> <title id="bluesky-logo-mobile">Bluesky</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#bluesky-logo"></use> </svg> </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org" aria-labelledby="github-logo-mobile"> <svg width="22" height="20" role="img"> <title id="github-logo-mobile">GitHub</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> </a> </li> </ul> </li> </ul> </li> </ul> </nav> </div> </div> </header> <script nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"> // If JS is enabled then enable menus ASAP to avoid CLS as menu items change from links to buttons (function() { document.querySelectorAll('.js-hide').forEach(element => { // Don't just hide it - delete it completely to avoid any specifity issues element.parentNode.removeChild(element); }); document.querySelectorAll('.js-enable').forEach(element => { element.classList.remove('js-enable'); element.classList.remove('hidden'); element.disabled = false; element.hidden = false; }); })(); </script> <div class="container"> <main id="chapter" class="main"> <nav aria-label="Chapter table of contents" class="index"> <div class="index-box floating-card"> <h2 class="header"> <button type="button" class="index-btn" aria-expanded="false" aria-label="Open the Table of Contents" data-close-text="Close the Table of Contents" data-open-text="Open the Table of Contents">Index</button> <span class="no-button">Index</span> </h2> <ul> <li> <a href="#introduction">Introduction</a> </li> <li> <a href="#definitions">Definitions</a> <ul> <li> <a href="#http-cookie">HTTP cookie</a> </li> <li> <a href="#first-and-third-party-cookies">First and third-party cookies</a> </li> <li> <a href="#privacy--security-risks">Privacy & security risks</a> </li> <li> <a href="#caveats">Caveats</a> </li> <li> <a href="#notes">Notes</a> </li> </ul> </li> <li> <a href="#prevalence-and-structure-of-cookies">Prevalence and structure of cookies</a> <ul> <li> <a href="#first-and-third-party-prevalence">First and third-party prevalence</a> </li> <li> <a href="#cookie-attributes">Cookie attributes</a> <ul> <li> <a href="#partitioned"><code>Partitioned</code></a> </li> <li> <a href="#session">Session</a> </li> <li> <a href="#httponly"><code>HttpOnly</code></a> </li> <li> <a href="#secure"><code>Secure</code></a> </li> <li> <a href="#samesite"><code>SameSite</code></a> </li> </ul> </li> <li> <a href="#cookie-prefixes">Cookie prefixes</a> </li> </ul> </li> <li> <a href="#top-first-and-third-party-cookies-and-domains-setting-them">Top first and third-party cookies and domains setting them</a> </li> <li> <a href="#number-of-cookies-set-by-websites">Number of cookies set by websites</a> </li> <li> <a href="#size-of-cookies">Size of cookies</a> </li> <li> <a href="#persistence-expiration">Persistence (expiration)</a> </li> <li> <a href="#privacy-sandbox-initiative">Privacy Sandbox initiative</a> <ul> <li> <a href="#what-is-the-privacy-sandbox-initiative">What is the Privacy Sandbox initiative?</a> </li> <li> <a href="#topics-api">Topics API</a> </li> <li> <a href="#protected-audience">Protected Audience</a> </li> <li> <a href="#attribution-reporting-api">Attribution Reporting API</a> </li> <li> <a href="#chips">CHIPS</a> </li> <li> <a href="#related-website-sets">Related Website Sets</a> </li> <li> <a href="#attestation-file">Attestation file</a> </li> </ul> </li> <li> <a href="#conclusion">Conclusion</a> </li> </ul> </div> </nav> <div class="content"> <article id="maincontent" class="body"> <div class="subtitle"> Part IV Chapter 21 </div> <h1 class="title title-lg"> Cookies </h1> <div class="article-dates"> <div class="article-date"> Date published: <time id="published-date" datetime="2024-11-11T00:00:00.000Z">2024/11/11</time> </div> <div class="article-date"> Last updated: <time id="modified-date" datetime="2024-11-16T00:00:00.000Z">2024/11/16</time> </div> <script nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"> // Update chapter dates to locale/language-specific format immeadiately with inline // script to avoid annoying shift as much as possible since this is in initial viewport. function formatDates(selector) { if (window.Intl && window.Intl.DateTimeFormat) { var publishedDateElement=document.querySelector(selector); if (!publishedDateElement) return; var publishedDate = new Date(publishedDateElement.getAttribute("datetime")); // Set up the date format - initially using the users default locale // This allows different locales in same language to be respected // (e.g. en-GB or en-US). var options = { day: "numeric", month: "short", year: "numeric", timeZone: "UTC" }; var dateFormat = new Intl.DateTimeFormat([], options) const usedOptions = dateFormat.resolvedOptions(); if (!usedOptions.locale.startsWith("en")) { // Reader is looking at a page in a language that is not their default locale // Set date format to page's language locale to avoid incorrect date translation. dateFormat = new Intl.DateTimeFormat("en", options) } publishedDateElement.textContent = dateFormat.format(publishedDate); } else { console.log("Could not format date"); } } formatDates("#published-date"); formatDates("#modified-date"); </script> </div>  <picture> <source media="(min-width: 866px)" type="image/avif" srcset="/static/images/2024/cookies/hero_lg.avif"> <source media="(min-width: 866px)" type="image/webp" srcset="/static/images/2024/cookies/hero_lg.webp"> <source media="(min-width: 866px)" type="image/jpeg" srcset="/static/images/2024/cookies/hero_lg.jpg"> <source type="image/avif" srcset="/static/images/2024/cookies/hero_sm.avif 1x, /static/images/2024/cookies/hero_lg.avif 2x"> <source type="image/webp" srcset="/static/images/2024/cookies/hero_sm.webp 1x, /static/images/2024/cookies/hero_lg.webp 2x"> <source type="image/jpeg" srcset="/static/images/2024/cookies/hero_sm.jpg 1x, /static/images/2024/cookies/hero_lg.jpg 2x"> <img src="/static/images/2024/cookies/hero_lg.jpg" class="content-banner" alt="Hero image of Web Almanac characters carrying a large cookie, while crumbs are thrown off by another character. Another Web Almanac character is following the trail of cookies with a detective hat and a magnifying glass." width="866" height="433" fetchpriority="high"> </picture> <div class="bylines"> <div class="byline">Written by <a class="author" href="/en/2024/contributors#yohhaan">Yohan Beugin</a>, <a class="author" href="/en/2024/contributors#samdutton">Sam Dutton</a>, and <a class="author" href="/en/2024/contributors#ydimova">Yana Dimova</a> </div> <div class="byline reviewers">Reviewed by <a class="reviewer" href="/en/2024/contributors#samdutton">Sam Dutton</a> and <a class="reviewer" href="/en/2024/contributors#rowan-m">Rowan Merewood</a> </div> <div class="byline analysts">Analyzed by <a class="analyst" href="/en/2024/contributors#yohhaan">Yohan Beugin</a> </div> <div class="byline editors">Edited by <a class="editor" href="/en/2024/contributors#tunetheweb">Barry Pollard</a> </div> </div> <h2 id="introduction"><a href="#introduction" class="anchor-link">Introduction</a></h2> <p>The following chapter of the Web Almanac 2024 is focused on cookies. Cookies have multiple functionalities and are to some extent essential for the web鈥攆or example, for authentication, fraud prevention and security. However, some cookies can track users across websites and are utilized to build behavior profiles.</p> <p>In this chapter, we measure the prevalence and structure of web cookies encountered while visiting mainly the top one million websites during the HTTP Archive crawl of June 2024.</p> <p>Additionally, we discuss and measure the adoption of alternative mechanisms to third-party cookies that were introduced by Google on Chrome as part of the <a hreflang="en" href="https://privacysandbox.com/">Privacy Sandbox</a> initiative to reduce cross-site tracking.</p> <p> We find that 61% of cookies are set in a third-party context. Generally, third-party cookies can be used for online tracking and targeted advertising. For this reason, Google proposed to phase out all third-party cookies and introduce more privacy-friendly options to replace their functionality with the Privacy Sandbox.</p> <p> On the other hand, not all third-party cookies are used for online tracking. Browsers such as Chrome include a number of ways to limit the way that third-party cookies are used. For example, cookies that are partitioned (CHIPS) cannot be accessed across different top-level sites from the one the cookies are set on originally, which makes it impossible to track users across websites. Nonetheless, we find that the most prevalent partitioned cookies are set by domains related to advertising. Another example is the <code>SameSite</code> cookies attribute, which ensures that (first-party) cookies are not included in cross-site requests by default. Trackers can disable this setting by explicitly setting the value of the <code>SameSite</code> attribute to <code>None</code>. Therefore, in practice, we find that for 11% of observed first-party cookies, <code>SameSite</code> is set to <code>None</code>. Additionally, we observe that the most widely set third-party cookies are used for advertising and analytics, with Google being prevalent on the largest percentage of websites.</p> <p> First-party cookies can also be used to track recurring users. From our analysis, we conclude that the most prevalent first-party cookies are used for analytics. In theory, because of the same-origin policy, these cookies cannot be used for cross-site tracking. However, by using advanced tracking methods such as cookie syncing and CNAME tracking, trackers can bypass this limitation. We refer to the <a href="./privacy">Privacy</a> chapter for more details on online tracking methods.</p> <p> Our results indicate both first-party and third-party tracking are common. We show that online tracking by means of cookies is still predominant on the web.</p> <h2 id="definitions"><a href="#definitions" class="anchor-link">Definitions</a></h2> <p>First up let’s get a common understanding of some of the terms used in this chapter.</p> <h3 id="http-cookie"><a href="#http-cookie" class="anchor-link">HTTP cookie</a></h3> <p>When a user visits a website, they interact with a web server that can request the user’s web browser to set and save an <a href="https://developer.mozilla.org/docs/Web/HTTP/Cookies">HTTP cookie</a>. This cookie corresponds to data saved in a text string on the user’s device, and is sent with subsequent HTTP requests to the web server. Cookies are used to persist stateful information about users across multiple HTTP requests, which can allow authentication, session management, and tracking. Cookies are also associated with privacy and security risks.</p> <h3 id="first-and-third-party-cookies"><a href="#first-and-third-party-cookies" class="anchor-link">First and third-party cookies</a></h3> <p>Cookies are set by a web server and there are two types of cookies: <strong>first-party</strong> and <strong>third-party</strong> cookies. First-party cookies are set by the same domain as the site the user is visiting, while third-party cookies are set from a different domain.</p> <p>Third-party cookies may be from a third party, or from a different site or service belonging to the same “first party” as the top-level site. <strong>Third-party cookies</strong> are really <strong>cross-site cookies</strong>.</p> <p>For example, imagine that the owner of the domain <code>example.com</code> also owns <code>example.net</code> and that the following cookies are set for a user visiting <code>https://www.example.com</code>:</p> <figure id="fig-1"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Cookie Name</th> <th>Set by</th> <th>Type of cookie</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td><code>cookie_a</code></td> <td><code>www.example.com</code></td> <td>First-party</td> <td>Same domain as visited website</td> </tr> <tr> <td><code>cookie_b</code></td> <td><code>cart.example.com</code></td> <td>First-party</td> <td>Same domain as visited website: subdomains do not matter</td> </tr> <tr> <td><code>cookie_c</code></td> <td><code>www.example.edu</code></td> <td>Third-party</td> <td>Different domain than visited website</td> </tr> <tr> <td><code>cookie_d</code></td> <td><code>tracking.example.org</code></td> <td>Third-party</td> <td>Different domain than visited website</td> </tr> <tr> <td><code>cookie_e</code></td> <td><code>login.example.net</code></td> <td>Third-party</td> <td>Different domain than visited website even if owned by the same owner in this example (cross-site cookie from the same “first party” at the top-level site)</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-1" class="anchor-link">Figure 21.1.</a> Cookie Context. </figcaption> </figure> <h3 id="privacy--security-risks"><a href="#privacy--security-risks" class="anchor-link">Privacy & security risks</a></h3> <p><strong>Web tracking.</strong> Cookies are used by third parties to track users across websites and record their browsing behavior and interests. In targeted advertising, this data is leveraged to show users advertisements aligned with their interest. This tracking usually takes place the following way; third-party code embedded on a site can set a cookie that identifies a user. Then, the same third-party can record user activity by obtaining that cookie back when the user visits other websites where it is embedded as well (see also the <a href="./privacy">Privacy</a> chapter). We note that first-party cookies can also be used for online tracking, methods such as cookie syncing allow to bypass the limitation of third-party cookies and track users <a hreflang="en" href="https://dl.acm.org/doi/abs/10.1145/3442381.3449837">across different websites</a>.</p> <p><strong>Cookie theft and session hijacking.</strong> Cookies are used to store session information such as credentials (session token) for authentication purposes across several HTTP requests. However, if these cookies were to be obtained by a malicious actor they could use them to authenticate to the corresponding web servers. If cookies are not properly set by web servers, they could be prone to cross-site vulnerabilities such as <a href="https://developer.mozilla.org/docs/Glossary/Session_Hijacking">session hijacking</a>, cross-site request forgery (<a href="https://developer.mozilla.org/docs/Web/Security/Practical_implementation_guides/CSRF_prevention">CSRF</a>), cross-site script inclusion (<a href="https://developer.mozilla.org/docs/Glossary/Cross-site_scripting">XSS</a>), and others (see also the <a href="./security">Security</a> chapter).</p> <h3 id="caveats"><a href="#caveats" class="anchor-link">Caveats</a></h3> <p>You can learn more about the methodology applied by the HTTP Archive for the Web Almanac in 2024 on the <a href="./methodology">Methodology</a> page. There are limitations to that methodology which may impact the results in this chapter:</p> <ul> <li>Data is collected by automatically visiting websites in a non-interactive way; user interaction could modify the way websites set and use cookies in practice. For example, HTTP Archive’s tools do not interact with cookie banners (if any) and so cookies that would be set after interaction with these banners are not observed by our study.</li> <li>Websites are visited from servers located in the US that have no cookie set when each independent website visit starts; this is quite different from a user accumulating and saving web cookies while browsing the web. The location from which visits are performed can impact cookie behavior due to regulation and legislation such as <a hreflang="en" href="https://gdpr-info.eu/">GDPR</a>.</li> <li>For each website, the home page is visited as well as one other page from the same website.</li> <li>Most of the results presented in this chapter are based on the top one million most visited websites according to the <a href="https://developer.chrome.com/docs/crux">Chrome User Experience Report (CrUX}</a> that were successfully reached during the HTTP Archive crawl of June 2024.</li> <li>The cookies collected for the analysis in this chapter were obtained at the end of the visit of each website page by extracting all cookies stored by the web browser in its cookie jar. As a result, the collected data only contains cookies that are deemed valid by the web browser and successfully set. Thus, if websites attempt to set invalid cookies (too large, attributes mismatch, etc.) they would be missing from our analysis.</li> </ul> <h3 id="notes"><a href="#notes" class="anchor-link">Notes</a></h3> <p>The figures plotted in this chapter indicate in their subtitle (a) the type of client device (<strong>desktop</strong> or <strong>mobile</strong>) that was used to access the websites for the plotted data and (b) the top number of websites visited (according to their <a href="https://developer.chrome.com/blog/crux-rank-magnitude">CrUX rank</a>). If the information is not specified, it must be on one of the axes of the graph.</p> <h2 id="prevalence-and-structure-of-cookies"><a href="#prevalence-and-structure-of-cookies" class="anchor-link">Prevalence and structure of cookies</a></h2> <p>In this section, we report on the prevalence of cookies, their type, and their attributes on the web.</p> <h3 id="first-and-third-party-prevalence"><a href="#first-and-third-party-prevalence" class="anchor-link">First and third-party prevalence</a></h3> <p>First-party cookies are set by the same domain as the website that the user is visiting, while third-party cookies are set by a different domain <a href="#definitions">see Definitions</a>. In this analysis, we examine the percentage of cookies set on websites that are first- and third-party across clients (desktop or mobile) and CrUX ranks.</p> <figure id="fig-2"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/first-and-third-party-prevalence.png" class=""> <img src="/static/images/2024/cookies/first-and-third-party-prevalence.png" alt="First- and third-party prevalence." aria-labelledby="fig-2-caption" aria-describedby="fig-2-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=627993125&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_type_attributes_per_rank.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/first-and-third-party-prevalence.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-2-description" data-show-text="Show description of Figure 21.2" data-hide-text="Hide description of Figure 21.2">Show description of Figure 21.2</button> <div id="fig-2-description" class="hidden">Bar chart showing the prevalence of first- and third-party cookies on desktop and mobile clients. For both clients, we see the same distribution: 39% of cookies are first-party and 61% of cookies set are third-party.</div> <figcaption id="fig-2-caption"> <a href="#fig-2" class="anchor-link">Figure 21.2.</a> First- and third-party prevalence. </figcaption> </figure> <p>On the top one million most visited websites, about 39% of the cookies are first-party and 61% are third-party cookies. Thus, a majority of the cookies set on the web are third-party cookies. We also observe that this distribution is very similar whether these websites are accessed through a desktop or a mobile client. This indicates that overall there is little to no behavior change based on the type of client used. However, some websites may still behave differently and/or use other tracking methods such as fingerprinting depending on the type of client (see the <a href="./privacy">Privacy</a> chapter for more).</p> <figure id="fig-3"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/first-and-third-party-prevalence-by-rank-desktop.png" class=""> <img src="/static/images/2024/cookies/first-and-third-party-prevalence-by-rank-desktop.png" alt="First- and third-party prevalence of cookies by rank on desktop clients." aria-labelledby="fig-3-caption" aria-describedby="fig-3-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1327011561&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_type_attributes_per_rank.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/first-and-third-party-prevalence-by-rank-desktop.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-3-description" data-show-text="Show description of Figure 21.3" data-hide-text="Hide description of Figure 21.3">Show description of Figure 21.3</button> <div id="fig-3-description" class="hidden">Bar chart showing the prevalence of first- and third-party cookies on desktop clients according to the popularity of the website (we used Chrome User Experience report to determine the popularity of websites). We see that more popular websites set significantly more third-party cookies. For the top one thousand most popular websites on desktop clients, 77% of cookies set are third-party, while for the top one million websites, 61% of cookies are third-party. One explanation for this difference is that more popular websites tend to include more third-party content that sets cookies.</div> <figcaption id="fig-3-caption"> <a href="#fig-3" class="anchor-link">Figure 21.3.</a> First- and third-party prevalence of cookies by rank on desktop clients. </figcaption> </figure> <figure id="fig-4"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/first-and-third-party-prevalence.png-by-rank-mobile.png" class=""> <img src="/static/images/2024/cookies/first-and-third-party-prevalence.png-by-rank-mobile.png" alt="First- and third-party prevalence of cookies by rank on mobile clients." aria-labelledby="fig-4-caption" aria-describedby="fig-4-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1792338085&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_type_attributes_per_rank.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/first-and-third-party-prevalence.png-by-rank-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-4-description" data-show-text="Show description of Figure 21.4" data-hide-text="Hide description of Figure 21.4">Show description of Figure 21.4</button> <div id="fig-4-description" class="hidden">Bar chart showing the prevalence of first- and third-party cookies on mobile clients according to the popularity of the website (we used Chrome User Experience report to determine the popularity of websites). We see that more popular websites set significantly more third-party cookies. For the top one thousand most popular websites on desktop clients, 77% of cookies set are third-party, while for the top one million websites, 61% of cookies are third-party. One explanation for this difference is that more popular websites tend to include more third-party content that sets cookies. We see the same results for both mobile and desktop clients.</div> <figcaption id="fig-4-caption"> <a href="#fig-4" class="anchor-link">Figure 21.4.</a> First- and third-party prevalence of cookies by rank on mobile clients. </figcaption> </figure> <p>Looking at the prevalence of the type of cookies across website rankings, we observe that more popular websites have a higher proportion of third-party cookies than the ones visited less often. For instance, in comparison to the results reported on the top one million websites, 23% and 77% of the cookies are first and third-party on the top one thousand (top one thousand) websites, respectively. This is likely due to the fact that websites that are the most visited by users embed more third-party code (that in turn sets more third-party cookies) than less visited ones. Additionally, the prevalence of each cookie type across the ranks is quite similar between desktop and mobile clients; we observe that previous remarks made on the top one million websites also hold across CrUX ranks.</p> <h3 id="cookie-attributes"><a href="#cookie-attributes" class="anchor-link">Cookie attributes</a></h3> <p>Next, we discuss the distribution of different cookie <a href="https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie">attributes</a>. Furthermore, we zoom into the use of the <code>SameSite</code> cookie attribute. The following two figures show the proportion of first and third-party cookies set on the top one million websites for each client that have one of the following attributes set: <code>Partitioned</code>, <code>Session</code>, <code>HttpOnly</code>, <code>Secure</code>, <code>SameSite</code>. Before diving into more details for each attribute, let’s observe here again the similarity of the distribution of the different attributes between desktop or mobile clients.</p> <figure id="fig-5"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/cookies-attributes-overview-desktop.png" class=""> <img src="/static/images/2024/cookies/cookies-attributes-overview-desktop.png" alt="An overview of cookie attributes for desktop clients." aria-labelledby="fig-5-caption" aria-describedby="fig-5-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=69067153&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_attributes_per_type.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/cookies-attributes-overview-desktop.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-5-description" data-show-text="Show description of Figure 21.5" data-hide-text="Hide description of Figure 21.5">Show description of Figure 21.5</button> <div id="fig-5-description" class="hidden">This figures gives an overview of how cookie attributes are used for desktop clients for both first- and third-party cookies. 100% of third-party cookies include the <code>SameSite</code> and <code>Secure</code> attributes. Only 1% of first-party cookies and 6% of third-party cookies use <code>Partioned</code>. 16% of first-party cookies set their <code>Session</code> attribute, while this is the case for only 4% of third-party cookies. Finally, 12% of first-party cookies and 19% of third-party cookies use the <code>HttpOnly</code> attribute.</div> <figcaption id="fig-5-caption"> <a href="#fig-5" class="anchor-link">Figure 21.5.</a> An overview of cookie attributes for desktop clients. </figcaption> </figure> <figure id="fig-6"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/cookies-attributes-overview-mobile.png" class=""> <img src="/static/images/2024/cookies/cookies-attributes-overview-mobile.png" alt="An overview of cookie attributes for mobile clients." aria-labelledby="fig-6-caption" aria-describedby="fig-6-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=2109248653&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_attributes_per_type.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/cookies-attributes-overview-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-6-description" data-show-text="Show description of Figure 21.6" data-hide-text="Hide description of Figure 21.6">Show description of Figure 21.6</button> <div id="fig-6-description" class="hidden">This figures gives an overview of how cookie attributes are used for mobile clients for both first- and third-party cookies. We observe the exact same results as for desktop clients. 100% of third-party cookies include the <code>SameSite</code> and <code>Secure</code> attributes. Only 1% of first-party cookies and 6% of third-party cookies use <code>Partioned</code>. 16% of first-party cookies set their <code>Session</code> attribute, while this is the case for only 4% of third-party cookies. Finally, 12% of first-party cookies and 19% of third-party cookies use the <code>HttpOnly</code> attribute.</div> <figcaption id="fig-6-caption"> <a href="#fig-6" class="anchor-link">Figure 21.6.</a> An overview of cookie attributes for mobile clients. </figcaption> </figure> <h4 id="partitioned"> <a href="#partitioned" class="anchor-link"><code>Partitioned</code></a> </h4> <p>Partitioned cookies are stored by <a href="https://developer.mozilla.org/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies#browser_compatibility">compatible browsers</a> using partitioned storage. Cookies that have the <code>Partitioned</code> attribute set can only be accessed by the same third party and from the same top-level site where they were created in the first place. In other words, partitioned cookies can not be used for third-party tracking across websites and allow for the legitimate use of third-party cookies on a top-level site. For more details see: <a href="https://developer.mozilla.org/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies">Cookies Having Independent Partitioned State (CHIPS)</a>.</p> <p>We observe that about 6% of third-party cookies set on desktop or mobile while visiting the top one million websites are partitioned. The next figure shows the most common partitioned cookies (name and domain) that are set in third-party context on the top one million websites. For each client (desktop and mobile) only the top ten partitioned cookies in percentage of websites they are seen on are reported. The top 2 most widely-used partitioned cookies are set by <code>youtube.com</code> on 9.9% on desktop and 8.89% mobile websites. The <code>YSC</code> cookie is used for security purposes i.e., to prevent fraud and abuse, and expires at the end of the user session, while <code>VISITOR_INFO1_LIV</code>’s main purpose is analytics (see <a hreflang="en" href="https://policies.google.com/technologies/cookies/embedded?hl=en-US">Google’s documentation</a>). Most of the cookies listed in the graph are set by advertising domains e.g., <code>adnxs.com</code>, <code>criteo.com</code>, and <code>doubleclick.net</code>.</p> <figure id="fig-7"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/top-third-party-CHIPS.png" class=""> <img src="/static/images/2024/cookies/top-third-party-CHIPS.png" alt="Top partitioned cookies (CHIPS) in third-party context." aria-labelledby="fig-7-caption" aria-describedby="fig-7-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1075137054&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1597405066"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/CHIPS_top_20_third_party_cookies.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/top-third-party-CHIPS.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-7-description" data-show-text="Show description of Figure 21.7" data-hide-text="Hide description of Figure 21.7">Show description of Figure 21.7</button> <div id="fig-7-description" class="hidden">A chart showing the top third-party domains setting partitioned cookies. The top two partitioned cookies set are Google-owned. <code>YSC</code> and <code>VISITOR_INFO1_LIVE</code> are set by <code>youtube.com</code> on 9.9% of desktop websites and 8.9% of mobile websites. Most of the top domains using CHIPS belong to the advertising or analytics category.</div> <figcaption id="fig-7-caption"> <a href="#fig-7" class="anchor-link">Figure 21.7.</a> Top partitioned cookies (CHIPS) in third-party context. </figcaption> </figure> <p>Perhaps a bit surprising, 1% of all the first-party cookies that are set on the top one million websites (desktop and mobile client) are partitioned. However, partitioning cookies in a first-party context appears to be a bit redundant as first-party cookies are already accessible, by definition, only by that first-party on that top-level site. The following figure displays the top ten partitioned cookies set in first-party context for each client. <code>receive-cookie-deprecation</code> is set by domains that <a href="https://developers.google.com/privacy-sandbox/private-advertising/setup/web/chrome-facilitated-testing">participate in the testing phase</a> of Chrome’s Privacy Sandbox. <code>cf_clearance</code> and <code>csrf_token</code> are cookies set by Cloudflare to indicate that the user has successfully completed an anti-bot challenge or to identify trusted web traffic, respectively.</p> <figure id="fig-8"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/top-first-party-CHIPS.png" class=""> <img src="/static/images/2024/cookies/top-first-party-CHIPS.png" alt="Top partitioned cookies (CHIPS) in first-party context." aria-labelledby="fig-8-caption" aria-describedby="fig-8-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1330654598&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1597405066"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/CHIPS_top_20_first_party_cookies.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/top-first-party-CHIPS.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-8-description" data-show-text="Show description of Figure 21.8" data-hide-text="Hide description of Figure 21.8">Show description of Figure 21.8</button> <div id="fig-8-description" class="hidden">A chart showing the top first-party partitioned cookies. The top cookie <code>receive-cookie-deprecation</code> is part of the Privacy Sandbox’s testing phase. The second most widely set first-party partitioned cookie is set by Cloudflare on 4.21% of desktop sites and 4.13% of mobile pages, and indicates that the user has successfully completed bot detection.</div> <figcaption id="fig-8-caption"> <a href="#fig-8" class="anchor-link">Figure 21.8.</a> Top partitioned cookies (CHIPS) in first-party context. </figcaption> </figure> <h4 id="session"><a href="#session" class="anchor-link">Session</a></h4> <p>Session cookies are cookies that are only valid for a single user session. In other words, session cookies are temporary and expire once the user quits the corresponding website they were set on, or closes their web browser, whichever happens first. However, note that some web browsers allow users to restore a previous session on startup, in that case the session cookies set in that previous session are also restored.</p> <p>The results from our analysis on the top one million websites in June 2024 show that 16% of first-party cookies and only 4% of third-party cookies are session cookies (on both desktop and mobile clients).</p> <h4 id="httponly"> <a href="#httponly" class="anchor-link"><code>HttpOnly</code></a> </h4> <p> The <a href="https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie#httponly"><code>HttpOnly</code></a> attribute prevents cookies from being accessed by javascript code, this provides some mitigation against <a href="https://developer.mozilla.org/docs/Glossary/Cross-site_scripting">cross-site scripting (XSS)</a> attacks. Note that setting the <code>HttpOnly</code> attribute does not prevent cookies from being sent along <code>XMLHttpRequest</code> or <code>fetch</code> requests initiated from javascript. </p> <p>Only 12% of first-party cookies have the <code>HttpOnly</code> attribute set, while for third-party cookies 19% on desktop and 18% on mobile do.</p> <h4 id="secure"> <a href="#secure" class="anchor-link"><code>Secure</code></a> </h4> <p> Cookies with the <a href="https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie#secure"><code>Secure</code></a> attribute are only sent to requests made through HTTPs. This prevents <a href="https://developer.mozilla.org/docs/Glossary/MitM">man-in-the-middle</a> attacks. </p> <p>For first-party cookies, 23% on desktop and 22% on mobile have the <code>Secure</code> attribute and all third-party cookies observed have the <code>Secure</code> attribute. Indeed, these third-party cookies also have the <code>SameSite=None</code> attribute that requires <code>Secure</code> to be set (see the next section).</p> <h4 id="samesite"> <a href="#samesite" class="anchor-link"><code>SameSite</code></a> </h4> <p> The <a href="https://developer.mozilla.org/docs/Web/HTTP/Cookies#controlling_third-party_cookies_with_samesite"><code>SameSite</code></a> cookie attribute allows sites to specify when cookies are included with cross-site requests: </p> <ul> <li><code>SameSite=Strict</code>: a cookie is only sent in response to a request from the same site as the cookie’s origin.</li> <li><code>SameSite=Lax</code>: same as <code>SameSite=Strict</code> except that the browser also sends the cookie on navigation to the cookie’s origin site. This is the default value of <code>SameSite</code>.</li> <li><code>SameSite=None</code>: cookies are sent on same-site or cross-site requests. This means that in order to make third-party tracking with cookies possible, the tracking cookies must have their <code>SameSite</code> attribute set to <code>None</code>.</li> </ul> <p>To learn more about the <code>SameSite</code> attribute, see the following references:</p> <ul> <li> <a href="https://web.dev/articles/samesite-cookies-explained"><code>SameSite</code> cookies explained</a> </li> <li><a href="https://web.dev/articles/same-site-same-origin">“Same-site” and “same-origin”</a></li> <li><a href="https://web.dev/articles/url-parts">What are the parts of a URL?</a></li> </ul> <figure id="fig-9"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/same-site-desktop.png" class=""> <img src="/static/images/2024/cookies/same-site-desktop.png" alt="SameSite attribute for cookies on desktop client." aria-labelledby="fig-9-caption" aria-describedby="fig-9-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=797398172&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_attributes_per_type.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/same-site-desktop.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-9-description" data-show-text="Show description of Figure 21.9" data-hide-text="Hide description of Figure 21.9">Show description of Figure 21.9</button> <div id="fig-9-description" class="hidden">Shows the prevalence of the <code>SameSite</code> attribute and its value for both first-party and third-party cookies on desktop clients. 2.16% of first-party cookies set the <code>SameSite</code> attribute to <code>Strict</code>, 20.17% use <code>SameSite=Lax</code> (which is the default), 10.78% set the value to <code>None</code> and 66.89% do not specify the value of <code>SameSite</code>. Nearly 100% of third-party cookies set the <code>SameSite</code> attribute to <code>None</code>, in order for these cookies to be sent in a cross-site context.</div> <figcaption id="fig-9-caption"> <a href="#fig-9" class="anchor-link">Figure 21.9.</a> <code>SameSite</code> attribute for cookies on desktop client. </figcaption> </figure> <figure id="fig-10"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/same-site-mobile.png" class=""> <img src="/static/images/2024/cookies/same-site-mobile.png" alt="SameSite attribute for cookies on mobile client." aria-labelledby="fig-10-caption" aria-describedby="fig-10-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=2030447900&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_attributes_per_type.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/same-site-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-10-description" data-show-text="Show description of Figure 21.10" data-hide-text="Hide description of Figure 21.10">Show description of Figure 21.10</button> <div id="fig-10-description" class="hidden">Shows the prevalence of the <code>SameSite</code> attribute and its value for both first-party and third-party cookies on mobile clients. We see very similar results as for desktop clients. 2.21% of first-party cookies set the <code>SameSite</code> attribute to <code>Strict</code>, 20% use <code>SameSite=Lax</code> (which is the default), 10.63% set the value to None and 67.16% do not specify the value of <code>SameSite</code>. Nearly 100% of third-party cookies set the <code>SameSite</code> attribute to <code>None</code>, in order for these cookies to be sent in a cross-site context.</div> <figcaption id="fig-10-caption"> <a href="#fig-10" class="anchor-link">Figure 21.10.</a> <code>SameSite</code> attribute for cookies on mobile client. </figcaption> </figure> <p>We observe that for each client about 33% of the first-party cookies and nearly 100% third-party cookies seen on the top one million websites have a <code>SameSite</code> attribute that is explicitly set when they are created (reminder: <code>SameSite</code> defaults to <code>Lax</code> if not specified). The two bar charts above represent the distribution of this <code>SameSite</code> attribute for first and third-party cookies across clients. We observe that the differences in results across clients is here again somewhat negligible. Nearly 100% of third-party cookies have <code>SameSite=None</code>, and so are sent on cross-site requests. For first-party cookies, about 87% of them have the <code>SameSite=Lax</code> (20% explicitly set the attribute, and the remaining 67% are concerned by the default behavior when <code>SameSite</code> is not set). 11% of cookies have their <code>SameSite</code> attributes explicitly set to have the value <code>None</code>. It’s hard to determine the exact purpose for which cookies are set, but it is likely that a fraction of these cookies are used to track users in a first-party context. Only 2% of cookies have <code>SameSite</code> set to <code>Strict</code>.</p> <h3 id="cookie-prefixes"><a href="#cookie-prefixes" class="anchor-link">Cookie prefixes</a></h3> <p>Two <a href="https://developer.mozilla.org/docs/Web/HTTP/Cookies#cookie_prefixes">cookie prefixes</a> <code>__Host-</code> and <code>__Secure-</code> can be used in the cookie name to indicate that they can only be set or modified by a secure HTTPS origin. This is to defend against <a href="https://developer.mozilla.org/docs/Web/Security/Types_of_attacks#session_fixation">session fixation</a> attacks. Cookies with both prefixes must be set by a secure HTTPs origin and have the <code>Secure</code> attribute set. Additionally, <code>__Host-</code> cookies must not contain a <code>Domain</code> attribute and have their <code>Path</code> set to <code>/</code>, thus <code>__Host-</code> cookies are only sent back to the exact host they were set on, and so not to any parent domain.</p> <figure id="fig-11"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/cookie-prefixes-desktop.png" class=""> <img src="/static/images/2024/cookies/cookie-prefixes-desktop.png" alt="Cookie prefixes observed on desktop pages." aria-labelledby="fig-11-caption" aria-describedby="fig-11-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1005258943&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_attributes_per_type.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/cookie-prefixes-desktop.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-11-description" data-show-text="Show description of Figure 21.11" data-hide-text="Hide description of Figure 21.11">Show description of Figure 21.11</button> <div id="fig-11-description" class="hidden">Shows the observed cookies prefixes used on desktop pages. We see that 0.032% of first-party cookies and only 0.001% of third-party cookies include <code>__Host-</code>. Similarly, 0.03% of first-party cookies and 0.001% of third-party cookies include <code>__Secure-</code>. </div> <figcaption id="fig-11-caption"> <a href="#fig-11" class="anchor-link">Figure 21.11.</a> Cookie prefixes observed on desktop pages. </figcaption> </figure> <figure id="fig-12"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/cookie-prefixes-mobile.png" class=""> <img src="/static/images/2024/cookies/cookie-prefixes-mobile.png" alt="Cookie prefixes observed on mobile pages." aria-labelledby="fig-12-caption" aria-describedby="fig-12-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=747475408&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1700493344"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/prevalence_attributes_per_type.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/cookie-prefixes-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-12-description" data-show-text="Show description of Figure 21.12" data-hide-text="Hide description of Figure 21.12">Show description of Figure 21.12</button> <div id="fig-12-description" class="hidden">Shows the observed cookies prefixes used on mobile pages. We observe very similar results to the cookies prefixes used on desktop pages. We see that 0.031% of first-party cookies and only 0.001% of third-party cookies include <code>__Host-</code>. Similarly, 0.03% of first-party cookies and 0.001% of third-party cookies include <code>__Secure-</code>. </div> <figcaption id="fig-12-caption"> <a href="#fig-12" class="anchor-link">Figure 21.12.</a> Cookie prefixes observed on mobile pages. </figcaption> </figure> <p>We measure that 0.032% and 0.030% of the first-party cookies observed on desktop have the <code>__Host-</code> and <code>__Secure-</code> prefix set, respectively. These numbers are 0.001% for third-party cookies. These results show the very low adoption of these prefixes and the associated defense-in-depth measure since they were first <a hreflang="en" href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-4.1.3.1">introduced</a> at the end of 2015.</p> <h2 id="top-first-and-third-party-cookies-and-domains-setting-them"><a href="#top-first-and-third-party-cookies-and-domains-setting-them" class="anchor-link">Top first and third-party cookies and domains setting them</a></h2> <p>In the following section, we report for each client (desktop and mobile) the top ten first-party cookies, third-party cookies, as well as domains that set them. We comment on a few of them using results from <a hreflang="en" href="https://cookiepedia.co.uk/">Cookiepedia</a> and invite curious readers to refer to this resource for more.</p> <figure id="fig-13"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/top-first-party-cookies-set.png" class=""> <img src="/static/images/2024/cookies/top-first-party-cookies-set.png" alt="Top first-party cookies set." aria-labelledby="fig-13-caption" aria-describedby="fig-13-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1305664900&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1236728722"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/top_20_first_party_cookies.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/top-first-party-cookies-set.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-13-description" data-show-text="Show description of Figure 21.13" data-hide-text="Hide description of Figure 21.13">Show description of Figure 21.13</button> <div id="fig-13-description" class="hidden">The chart shows the most widely-set first-party cookies. Google Analytics sets the <code>_ga</code> and <code>_gid</code> cookies, which are used for website statistics and analytics reports, on more than 61% of websites for both mobile and desktop clients.</div> <figcaption id="fig-13-caption"> <a href="#fig-13" class="anchor-link">Figure 21.13.</a> Top first-party cookies set. </figcaption> </figure> <p>The first two first-party cookies <code>_ga</code> and <code>_gid</code> are set by <a hreflang="en" href="https://business.safety.google/adscookies/">Google Analytics</a> to store client identifiers and statistics for site analytics reports, a majority of websites use Google Analytics (more than 60% and 35%, respectively). The third one <code>_fbp</code> is set by Facebook and used for targeted advertising on 25% of the websites.</p> <figure id="fig-14"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/top-third-party-cookies-set.png" class=""> <img src="/static/images/2024/cookies/top-third-party-cookies-set.png" alt="Top third-party cookies and domains that set them." aria-labelledby="fig-14-caption" aria-describedby="fig-14-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=219338324&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1236728722"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/top_20_third_party_cookies.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/top-third-party-cookies-set.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-14-description" data-show-text="Show description of Figure 21.14" data-hide-text="Hide description of Figure 21.14">Show description of Figure 21.14</button> <div id="fig-14-description" class="hidden">The chart shows the most widely-set third-party cookies. DoubleClick sets third-party advertising cookies on 28.9% websites and 26.7% of mobile websites. Microsoft also sets advertising cookies on 12.4% of desktop and 11.3% of mobile pages. Most of the top domains setting third-party cookies are related to tracking and advertising.</div> <figcaption id="fig-14-caption"> <a href="#fig-14" class="anchor-link">Figure 21.14.</a> Top third-party cookies and domains that set them. </figcaption> </figure> <p>The <code>IDE</code> and <code>test_cookie</code> cookies are set by <code>doubleclick.net</code> (owned by Google) and are the most common third-party cookies observed on the top one million websites; they are used for targeted advertising. DoubleClick checks if a user’s web browser supports third-party cookies by trying to set <code>test_cookie</code>. <code>MUID</code> from Microsoft comes next and is also used in targeted advertising to store the user’s unique identifier for cross-site tracking.</p> <figure id="fig-15"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/top-cookie-domains.png" class=""> <img src="/static/images/2024/cookies/top-cookie-domains.png" alt="Top registrable domains setting cookies." aria-labelledby="fig-15-caption" aria-describedby="fig-15-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=418361658&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1236728722"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/top_20_domains_setting_cookies.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/top-cookie-domains.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-15-description" data-show-text="Show description of Figure 21.15" data-hide-text="Hide description of Figure 21.15">Show description of Figure 21.15</button> <div id="fig-15-description" class="hidden">The chart shows the most common domains that set cookies on the web. Google’s owned advertising platform DoubleClick sets cookies on more than 44% of the top one million websites while others are at about 8% to 12%.</div> <figcaption id="fig-15-caption"> <a href="#fig-15" class="anchor-link">Figure 21.15.</a> Top registrable domains setting cookies. </figcaption> </figure> <p>Among the ten most common domains that set cookies on the web, we only find domains involved in search, targeting, and advertising services. This result outlines the coverage that some third-parties have of the web, for example: Google’s owned advertising platform DoubleClick sets cookies on more than 44% of the top one million websites while others are at about 8% to 12%.</p> <h2 id="number-of-cookies-set-by-websites"><a href="#number-of-cookies-set-by-websites" class="anchor-link">Number of cookies set by websites</a></h2> <figure id="fig-16"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Number of cookies (desktop top one million)</th> <th>First-party</th> <th>Third-party</th> <th>All</th> </tr> </thead> <tbody> <tr> <td>min</td> <td class="numeric">1</td> <td class="numeric">1</td> <td class="numeric">1</td> </tr> <tr> <td>p25</td> <td class="numeric">3</td> <td class="numeric">2</td> <td class="numeric">4</td> </tr> <tr> <td>median</td> <td class="numeric">7</td> <td class="numeric">5</td> <td class="numeric">10</td> </tr> <tr> <td>p75</td> <td class="numeric">13</td> <td class="numeric">17</td> <td class="numeric">24</td> </tr> <tr> <td>p90</td> <td class="numeric">22</td> <td class="numeric">66</td> <td class="numeric">51</td> </tr> <tr> <td>p95</td> <td class="numeric">46</td> <td class="numeric">331</td> <td class="numeric">323</td> </tr> <tr> <td>max</td> <td class="numeric">160</td> <td class="numeric">632</td> <td class="numeric">662</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-16" class="anchor-link">Figure 21.16.</a> Statistics for number of cookies set on desktop pages. </figcaption> </figure> <figure id="fig-17"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Number of cookies (mobile top one million)</th> <th>First-party</th> <th>Third-party</th> <th>All</th> </tr> </thead> <tbody> <tr> <td>min</td> <td class="numeric">1</td> <td class="numeric">1</td> <td class="numeric">1</td> </tr> <tr> <td>p25</td> <td class="numeric">3</td> <td class="numeric">2</td> <td class="numeric">4</td> </tr> <tr> <td>median</td> <td class="numeric">7</td> <td class="numeric">4</td> <td class="numeric">9</td> </tr> <tr> <td>p75</td> <td class="numeric">12</td> <td class="numeric">18</td> <td class="numeric">24</td> </tr> <tr> <td>p90</td> <td class="numeric">21</td> <td class="numeric">64</td> <td class="numeric">52</td> </tr> <tr> <td>p95</td> <td class="numeric">45</td> <td class="numeric">327</td> <td class="numeric">316</td> </tr> <tr> <td>max</td> <td class="numeric">168</td> <td class="numeric">604</td> <td class="numeric">645</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-17" class="anchor-link">Figure 21.17.</a> Statistics for number of cookies set on mobile pages. </figcaption> </figure> <p>Websites set a median of nine or ten cookies of any type overall, seven first-party cookies, and four or five third-party cookies for mobile and desktop clients, respectively. The tables above report several other statistics about the number of cookies observed per website and the figures below display their cumulative distribution functions (cdf). For example: on desktop a maximum of 160 first-party and 632 third-party cookies are set per website.</p> <figure id="fig-18"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/number-cookies-cdf-desktop.png" class=""> <img src="/static/images/2024/cookies/number-cookies-cdf-desktop.png" alt="Number of cookies per website (cdf) for desktop pages." aria-labelledby="fig-18-caption" aria-describedby="fig-18-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1693604543&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1448286433"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/nb_cookies_cdf.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/number-cookies-cdf-desktop.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-18-description" data-show-text="Show description of Figure 21.18" data-hide-text="Hide description of Figure 21.18">Show description of Figure 21.18</button> <div id="fig-18-description" class="hidden">The graph shows the cumulative distribution function for the number of cookies set on desktop pages. We see that more websites have a number of first-party cookies that is closer to the maximum of first-party cookies observed, than for third-party cookies.</div> <figcaption id="fig-18-caption"> <a href="#fig-18" class="anchor-link">Figure 21.18.</a> Number of cookies per website (cdf) for desktop pages. </figcaption> </figure> <figure id="fig-19"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/number-cookies-cdf-mobile.png" class=""> <img src="/static/images/2024/cookies/number-cookies-cdf-mobile.png" alt="Number of cookies per website (cdf) for mobile pages." aria-labelledby="fig-19-caption" aria-describedby="fig-19-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=832068018&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1448286433"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/nb_cookies_cdf.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/number-cookies-cdf-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-19-description" data-show-text="Show description of Figure 21.19" data-hide-text="Hide description of Figure 21.19">Show description of Figure 21.19</button> <div id="fig-19-description" class="hidden">The graph shows the cumulative distribution function for the number of cookies set on mobile pages. We see that more websites have a number of first-party cookies that is closer to the maximum of first-party cookies observed, than for third-party cookies. Additionally, we observe very similar results for both desktop and mobile websites.</div> <figcaption id="fig-19-caption"> <a href="#fig-19" class="anchor-link">Figure 21.19.</a> Number of cookies per website (cdf) for mobile pages. </figcaption> </figure> <p>We see that more websites have a number of first-party cookies that is closer to the maximum of first-party cookies observed, than for third-party cookies.</p> <h2 id="size-of-cookies"><a href="#size-of-cookies" class="anchor-link">Size of cookies</a></h2> <figure id="fig-20"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Size of cookies (desktop top one million) in bytes</th> <th>First-party</th> <th>Third-party</th> <th>All</th> </tr> </thead> <tbody> <tr> <td>min</td> <td class="numeric">1</td> <td class="numeric">1</td> <td class="numeric">1</td> </tr> <tr> <td>p25</td> <td class="numeric">26</td> <td class="numeric">22</td> <td class="numeric">23</td> </tr> <tr> <td>median</td> <td class="numeric">39</td> <td class="numeric">36</td> <td class="numeric">37</td> </tr> <tr> <td>p75</td> <td class="numeric">59</td> <td class="numeric">58</td> <td class="numeric">58</td> </tr> <tr> <td>p90</td> <td class="numeric">148</td> <td class="numeric">114</td> <td class="numeric">128</td> </tr> <tr> <td>p95</td> <td class="numeric">380</td> <td class="numeric">274</td> <td class="numeric">348</td> </tr> <tr> <td>max</td> <td class="numeric">4087</td> <td class="numeric">4094</td> <td class="numeric">4094</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-20" class="anchor-link">Figure 21.20.</a> Statistics for size of cookies set on desktop pages. </figcaption> </figure> <figure id="fig-21"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Size of cookies (mobile top one million) in bytes</th> <th>First-party</th> <th>Third-party</th> <th>All</th> </tr> </thead> <tbody> <tr> <td>min</td> <td class="numeric">1</td> <td class="numeric">1</td> <td class="numeric">1</td> </tr> <tr> <td>p25</td> <td class="numeric">26</td> <td class="numeric">22</td> <td class="numeric">23</td> </tr> <tr> <td>median</td> <td class="numeric">39</td> <td class="numeric">37</td> <td class="numeric">38</td> </tr> <tr> <td>p75</td> <td class="numeric">59</td> <td class="numeric">59</td> <td class="numeric">59</td> </tr> <tr> <td>p90</td> <td class="numeric">149</td> <td class="numeric">114</td> <td class="numeric">130</td> </tr> <tr> <td>p95</td> <td class="numeric">382</td> <td class="numeric">278</td> <td class="numeric">352</td> </tr> <tr> <td>max</td> <td class="numeric">4086</td> <td class="numeric">4093</td> <td class="numeric">4093</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-21" class="anchor-link">Figure 21.21.</a> Statistics for size of cookies set on mobile pages. </figcaption> </figure> <p>This section focuses on the actual size of these cookies. We find that the median size across all cookies observed on desktop during the HTTP Archive crawl of June 2024 is 37 bytes. This median value is consistent across first and third-party cookies as well as clients. The maximal size that we obtain is at about 4K bytes which is consistent with the limits defined in <a hreflang="en" href="https://datatracker.ietf.org/doc/html/rfc6265#section-6.1">RFC 6265</a>. Note that because of the way the HTTP Archive tools work and collect the cookies, if websites try to set cookies larger than the limit of 4K bytes this information would be missing from the data analyzed in this chapter.</p> <p>The smallest cookies that we observe are of a single byte in size, they are likely set by error by empty <code>Set-Cookie</code> headers. Additionally, we also report the cumulative distribution function (cdf) of the size of all the cookies seen on the top one million websites for each client.</p> <p>Most cookies used for tracking have a size greater than <a hreflang="en" href="https://link.springer.com/chapter/10.1007/978-3-319-15509-8_21">35 bytes</a>. The reason for this is that size is related to the tracking capability of cookies: trackers assign identifiers randomly to users in order to be able to re-identify them. So the larger the size (number of bytes) for the identifier, the more unique users they can be assigned to.</p> <figure id="fig-22"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/size-cookies-cdf-desktop-mobile.png" class=""> <img src="/static/images/2024/cookies/size-cookies-cdf-desktop-mobile.png" alt="Size of cookies per website (cdf) for desktop and mobile pages." aria-labelledby="fig-22-caption" aria-describedby="fig-22-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=2005425406&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=1882828646"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/size_cookies_cdf.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/size-cookies-cdf-desktop-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-22-description" data-show-text="Show description of Figure 21.22" data-hide-text="Hide description of Figure 21.22">Show description of Figure 21.22</button> <div id="fig-22-description" class="hidden">The graph shows the cumulative distribution function for the number of cookies set on desktop and mobile pages. We see a very similar distribution for cookies sizes for both desktop and mobile clients.</div> <figcaption id="fig-22-caption"> <a href="#fig-22" class="anchor-link">Figure 21.22.</a> Size of cookies per website (cdf) for desktop and mobile pages. </figcaption> </figure> <h2 id="persistence-expiration"><a href="#persistence-expiration" class="anchor-link">Persistence (expiration)</a></h2> <figure id="fig-23"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Age of cookies (desktop top one million) in days</th> <th>First-party</th> <th>Third-party</th> <th>All</th> </tr> </thead> <tbody> <tr> <td>min</td> <td class="numeric">0</td> <td class="numeric">0</td> <td class="numeric">0</td> </tr> <tr> <td>p25</td> <td class="numeric">1</td> <td class="numeric">30</td> <td class="numeric">30</td> </tr> <tr> <td>median</td> <td class="numeric">183</td> <td class="numeric">365</td> <td class="numeric">365</td> </tr> <tr> <td>p75</td> <td class="numeric">396</td> <td class="numeric">365</td> <td class="numeric">396</td> </tr> <tr> <td>p90</td> <td class="numeric">400</td> <td class="numeric">400</td> <td class="numeric">400</td> </tr> <tr> <td>p95</td> <td class="numeric">400</td> <td class="numeric">400</td> <td class="numeric">400</td> </tr> <tr> <td>max</td> <td class="numeric">400</td> <td class="numeric">400</td> <td class="numeric">400</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-23" class="anchor-link">Figure 21.23.</a> Statistics for age of cookies set on desktop pages. </figcaption> </figure> <figure id="fig-24"> <div class="table-wrap"> <div class="table-wrap-container"> <table> <thead> <tr> <th>Age of cookies (mobile top one million) in days</th> <th>First-party</th> <th>Third-party</th> <th>All</th> </tr> </thead> <tbody> <tr> <td>min</td> <td class="numeric">0</td> <td class="numeric">0</td> <td class="numeric">0</td> </tr> <tr> <td>p25</td> <td class="numeric">1</td> <td class="numeric">30</td> <td class="numeric">30</td> </tr> <tr> <td>median</td> <td class="numeric">183</td> <td class="numeric">365</td> <td class="numeric">365</td> </tr> <tr> <td>p75</td> <td class="numeric">396</td> <td class="numeric">365</td> <td class="numeric">390</td> </tr> <tr> <td>p90</td> <td class="numeric">400</td> <td class="numeric">400</td> <td class="numeric">400</td> </tr> <tr> <td>p95</td> <td class="numeric">400</td> <td class="numeric">400</td> <td class="numeric">400</td> </tr> <tr> <td>max</td> <td class="numeric">400</td> <td class="numeric">400</td> <td class="numeric">400</td> </tr> </tbody> </table> </div> </div> <figcaption> <a href="#fig-24" class="anchor-link">Figure 21.24.</a> Statistics for age of cookies set on mobile pages. </figcaption> </figure> <p>After looking into cookie size, let’s now dive into cookie age. Cookies are set to an expiration date when they are created. Recall that session cookies expire immediately after the session is over (<a href="#session">see previous section</a>). The median age of first-party cookies is at about 183 days or roughly 6 months, while the median age of third-party cookies is a full year. After less than one day and thirty days, 25% of first-party and third-party cookies expire, respectively. The maximum age among the cookies that we can observe with the instrumentation and collection of the HTTP Archive Tools is of 400 days, this is aligned with the <a href="https://developer.chrome.com/blog/cookie-max-age-expires">hard limits</a> that Chrome imposes on cookie <code>Expires</code> and <code>Max-Age</code> attribute. Below, are the cumulative distribution functions (cdf) of the age of the cookies set on the top one million websites whether it is on a desktop or mobile client.</p> <figure id="fig-25"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/age-cookies-cdf-desktop-mobile.png" class=""> <img src="/static/images/2024/cookies/age-cookies-cdf-desktop-mobile.png" alt="Age of cookies per website (cdf) for desktop and mobile pages." aria-labelledby="fig-25-caption" aria-describedby="fig-25-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=147680119&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=135614941"> View data </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/age_expires_cookies_cdf.sql"> View query </a> </li> <li> <a href="/static/images/2024/cookies/age-cookies-cdf-desktop-mobile.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-25-description" data-show-text="Show description of Figure 21.25" data-hide-text="Hide description of Figure 21.25">Show description of Figure 21.25</button> <div id="fig-25-description" class="hidden">The graph shows the cumulative distribution function for the age of cookies set on desktop and mobile pages. About 45% of cookies expire after 90 days. We find the same results for both mobile and desktop clients. Additionally, 75% of cookies have a lifespan of maximum 1 year, while the other half remain stored in the browser for longer than a year. We see a very similar distribution for cookies sizes for both desktop and mobile clients.</div> <figcaption id="fig-25-caption"> <a href="#fig-25" class="anchor-link">Figure 21.25.</a> Age of cookies per website (cdf) for desktop and mobile pages. </figcaption> </figure> <p>From the graph, we deduce that about 45 % of cookies expire after 90 days. We find the same results for both mobile and desktop clients. Additionally, 75% of cookies have a lifespan of maximum 1 year, while the other half remain stored in the browser for longer than a year. In theory, the longer the lifespan of the cookies, the longer that they can re-identify a recurring user. For this reason, most tracking cookies are typically stored in the browser for a longer time.</p> <h2 id="privacy-sandbox-initiative"><a href="#privacy-sandbox-initiative" class="anchor-link">Privacy Sandbox initiative</a></h2> <p>In <a hreflang="en" href="https://blog.google/products/chrome/building-a-more-private-web/">2019</a>, Google announced the launch of the <a hreflang="en" href="https://developers.google.com/privacy-sandbox">Privacy Sandbox</a> initiative to reduce cross-site (web) and cross-app (Android) tracking while retaining utility for advertising and other use cases that historically have relied on third-party cookies and other tracking mechanisms.</p> <h3 id="what-is-the-privacy-sandbox-initiative"><a href="#what-is-the-privacy-sandbox-initiative" class="anchor-link">What is the Privacy Sandbox initiative?</a></h3> <p>The Privacy Sandbox is composed of more than <a hreflang="en" href="https://privacysandbox.com">20 different proposals</a> that aim to diminish the use of unique identifiers, limiting covert tracking, fighting spam and fraud, showing relevant ads to users, and measuring ad conversions.</p> <p>Part of Google’s initial plan with the Privacy Sandbox was to deprecate third-party cookies, but in <a hreflang="en" href="https://privacysandbox.com/news/privacy-sandbox-update">recent updates</a> Google announced that this was not their intention anymore and that they would rather introduce a “new experience in Chrome that lets people make an informed choice that applies across their web browsing”. At the same time, Google will “continue to make the Privacy Sandbox APIs available and invest in them to further improve privacy and utility”.</p> <p>We partnered with the <a href="./privacy">Privacy</a> chapter of the Web Almanac 2024 to measure adoption of the Privacy Sandbox APIs on the websites visited by the HTTP Archive crawl and will defer interested readers to their chapter for the analysis of the results. Next, we present an overview of the proposed mechanisms that are part of the Privacy Sandbox and aim at replacing a capability provided by cookies so far.</p> <h3 id="topics-api"><a href="#topics-api" class="anchor-link">Topics API</a></h3> <p>The <a href="https://developers.google.com/privacy-sandbox/private-advertising/topics/web">Topics API</a> enables interest-based advertising, without using third-party cookies. The API allows callers (such as ad tech platforms) to access topics of interest that they have observed for a user, but without revealing additional information about the user’s activity.</p> <p>See the <a href="./privacy">Privacy</a> chapter for some results about the adoption of the Topics API.</p> <h3 id="protected-audience"><a href="#protected-audience" class="anchor-link">Protected Audience</a></h3> <p>The <a href="https://developers.google.com/privacy-sandbox/private-advertising/protected-audience">Protected Audience API</a> enables on-device ad auctions to serve remarketing and custom audiences, without cross-site third-party tracking. Advertisers can add users to interest groups that are saved by the browser while users are navigating on the web. This allows advertisers to perform retargeted advertising by bidding on the available interest groups the user is part of when they visit a website where an ad auction is performed.</p> <p>See the <a href="./privacy">Privacy</a> chapter for some results about the adoption of the Protected Audience API.</p> <h3 id="attribution-reporting-api"><a href="#attribution-reporting-api" class="anchor-link">Attribution Reporting API</a></h3> <p>The <a href="https://developers.google.com/privacy-sandbox/private-advertising/attribution-reporting">Attribution Reporting API</a> allows websites and third parties to measure ad conversion, i.e., when a view or a click on an advertisement leads later for example to a purchase. The Attribution Reporting API aims to enable measurement of ad conversion but without the use of cross-site identifiers and cookies.</p> <p>See the <a href="./privacy">Privacy</a> chapter for some results about the adoption of the Attribution Reporting API.</p> <h3 id="chips"><a href="#chips" class="anchor-link">CHIPS</a></h3> <p><a href="https://developers.google.com/privacy-sandbox/cookies/chips">Cookies Having Independent Partitioned State (CHIPS)</a> allow web developers to specify that they would like the cookies that they are setting to be saved in a partitioned storage, i.e., in a separate cookie jar per top-level site. CHIPS cookies correspond to the partitioned cookies discussed previously in this chapter, in the <a href="#partitioned">partitioned</a> section.</p> <h3 id="related-website-sets"><a href="#related-website-sets" class="anchor-link">Related Website Sets</a></h3> <p><a href="https://developers.google.com/privacy-sandbox/cookies/related-website-sets">Related Website Sets</a> allow websites from the same owner to share cookies among themselves. The creation and submission of a Related Website Set is done at the moment through opening a pull request on a <a hreflang="en" href="https://github.com/GoogleChrome/related-website-sets">GitHub repository</a> that Google employees check and merge if deemed valid. Websites that belong to the same related website set must also indicate it by placing a corresponding file at the <a hreflang="en" href="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">.well-known URI</a> <code>/.well-known/related-website-set.json</code>.</p> <figure id="fig-26"> <div class="figure-wrapper"> <div class="big-number">64</div> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=199073475"> View data </a> </li> </ul> </div> </div> <figcaption id="fig-26-caption"> <a href="#fig-26" class="anchor-link">Figure 21.26.</a> Number of related primary website sets validated by Google at the time of writing. </figcaption> </figure> <p>Chrome ships with a preloaded file containing related website sets validated by the Chrome team; at the moment of writing (version <code>2024.8.10.0</code>), there are 64 distinct related website sets. Each related website set contains a primary domain and a list of other domains related to the primary one below one of the following attributes: <code>associatedSites</code>, <code>servicesSites</code>, and/or <code>ccTLDs</code>. These 64 primary domains are each associated with secondary domains as part of their set: 60 sets contain <code>associatedSites</code>, 11 <code>servicesSites</code>, and 7 <code>ccTLDs</code>. We report on the following figure the number of secondary domains for each set. We observe that if a majority of the primary domains are associated with 5 or less secondary domains, <code>https://journaldesfemmes.com</code>, <code>https://ya.ru</code>, and <code>https://mercadolibre.com</code> are linked to 8, 17, and 39 secondary domains among which third party requests are handled as if they were all from the first party, respectively.</p> <figure id="fig-27"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/secondary-domains.png" class=""> <img src="/static/images/2024/cookies/secondary-domains.png" alt="Secondary domains per primary domain." aria-labelledby="fig-27-caption" aria-describedby="fig-27-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=914391662&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=199073475"> View data </a> </li> <li> <a href="/static/images/2024/cookies/secondary-domains.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-27-description" data-show-text="Show description of Figure 21.27" data-hide-text="Hide description of Figure 21.27">Show description of Figure 21.27</button> <div id="fig-27-description" class="hidden">The graph shows secondary domains associated to primary domains for Related Website Sets, which is part of Google’s Privacy Sandbox. We observe that if a majority of the primary domains are associated with 5 or less secondary domains, <code>https://journaldesfemmes.com</code>, <code>https://ya.ru</code>, and <code>https://mercadolibre.com</code> are linked to 8, 17, and 39 secondary domains among which third party requests are handled as if they were all from the first party, respectively.</div> <figcaption id="fig-27-caption"> <a href="#fig-27" class="anchor-link">Figure 21.27.</a> Secondary domains per primary domain. </figcaption> </figure> <h3 id="attestation-file"><a href="#attestation-file" class="anchor-link">Attestation file</a></h3> <p>In order to use some of the Privacy Sandbox APIs, API callers have to go through an <a href="https://developers.google.com/privacy-sandbox/private-advertising/enrollment">enrollment</a> process to declare that they will not abuse these APIs for cross-site re-identification, but only for their intended use cases. The legal implications of this commitment if not respected is quite unclear, but this allows these callers to obtain an attestation file that must be placed at the <code>.well-known</code> URI <code>/.well-know/privacy-sandbox-attestations.json</code> on the domain they registered to call these APIs from.</p> <p>Chrome ships with a preloaded file containing a list of domains that have an attestation file registered. Currently, this list contains 257 distinct domains (version <code>2024.10.7.0</code>) that have enrolled to call the following APIs: Attribution Reporting, Protected App Signals (Android only), Private Aggregation (Chrome only), Protected Audience, Shared Storage (Chrome only), and Topics.</p> <p>We used a <a hreflang="en" href="https://github.com/privacysandstorm/well-known-crawler">custom crawler</a> separate from the HTTP Archive tools to obtain and parse these attestation files. We successfully retrieved attestation files for 232 distinct domains with that crawler (some attestation files may be available but not obtained by this crawler due to networking issues for example). Next, we report the proportion of domains that are enrolled for each API on Chrome and Android. We observe that the majority of these origins are enrolled to call one of the five Chrome APIs requiring an attestation while the proportion is way less for the Android APIs.</p> <figure id="fig-28"> <div class="figure-wrapper"> <a href="/static/images/2024/cookies/attestation-files.png" class=""> <img src="/static/images/2024/cookies/attestation-files.png" alt="Enrollment from Privacy Sandbox APIs attestation files." aria-labelledby="fig-28-caption" aria-describedby="fig-28-description" width="600" height="371" data-width="600" data-height="371" data-seamless="" data-frameborder="0" data-scrolling="no" data-iframe="https://docs.google.com/spreadsheets/d/e/2PACX-1vTLO9Te80QewkuPKnz6eJ7OFcU5q3fZMsdqv7cEncBKrL5zcsIN9sMMg5HQT7ndKze8JJNe-V1IkB-9/pubchart?oid=1570607827&format=interactive" loading="lazy"> </a> <div class="figure-dropdown nav-dropdown"> <button type="button" class="nav-dropdown-btn js-enable hidden" disabled aria-expanded="false" title="Explore the results"> <span class="visually-hidden">Explore the results</span> <svg aria-hidden="true" width="1em" height="1em" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" /> </svg> </button> <ul class="figure-dropdown-list nav-dropdown-list floating-card hidden"> <li> <a href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/#gid=2119972682"> View data </a> </li> <li> <a href="/static/images/2024/cookies/attestation-files.png"> View image </a> </li> </ul> </div> </div> <button type="button" class="fig-description-button novisibility-until-js" aria-expanded="false" aria-controls="fig-28-description" data-show-text="Show description of Figure 21.28" data-hide-text="Hide description of Figure 21.28">Show description of Figure 21.28</button> <div id="fig-28-description" class="hidden">257 domains have already enrolled for Google’s Privacy Sandbox and are part of the attestation file. The graph shows the proportion of domains that are enrolled for each API on Chrome and Android. We observe that the majority of these origins are enrolled to call one of the five Chrome APIs requiring an attestation while the proportion is way less for the Android APIs.</div> <figcaption id="fig-28-caption"> <a href="#fig-28" class="anchor-link">Figure 21.28.</a> Enrollment from Privacy Sandbox APIs attestation files. </figcaption> </figure> <h2 id="conclusion"><a href="#conclusion" class="anchor-link">Conclusion</a></h2> <p>In this chapter, we report on the use of cookies on the web. Our analysis allows us to answer multiple questions:</p> <p><strong>Which type of cookies is set by websites?</strong></p> <p>We find that the majority of cookies on the web (61%) are third-party. Moreover, more popular websites set significantly more third-party cookies, presumably because they generally include more third-party content. Additionally, we observe that about 6% of third-party cookies are partitioned (CHIPS). Partitioned cookies cannot be used for third-party tracking given that the cookie jar is separate for each website (domain) that the user visits. However, we find that partitioned cookies are predominantly set by advertising domains and are used for analytics.</p> <p><strong>Which cookie attributes are set?</strong></p> <p>Out of all cookies set, 16% of first-party cookies and only 4% of third-party cookies are session cookies. The remainder of the cookies are more persistent since they are not deleted when the user closes the browser. Generally, the average lifetime of cookies (the median) is 6 months for first-party and 1 year for third-party cookies.</p> <p>Furthermore, for 100% of third-party cookies the <code>SameSite</code> attribute is explicitly set to <code>None</code>, which allows these cookies to be included in cross-site requests and therefore to track users with them.</p> <p><strong>Who sets cookies and what are they used for?</strong></p> <p>The top first-party cookies are mainly used for analytics. Google Analytics, whose primary function is to report on the use of websites by users i.e, first-party analytics, is prevalent on at least 60% of websites. Meta follows its footsteps, by setting first-party cookies on 25% websites.</p> <p>Third-party cookies also predominantly set by Google: <code>doubleclick.net</code> sets a cookie on 44% of websites. Other top trackers have a considerably smaller reach of 8-12% of websites. In general, the most popular third-party cookies belong predominantly to the targeted advertising category.</p> <p>We conclude the chapter with an overview of the Privacy Sandbox, which aims to replace third-party cookies altogether, and refer to the <a href="./privacy">Privacy</a> chapter for more results.</p> </article> <div class="chapter-links"> <h2 id="explore-results"> <a href="#explore-results" class="anchor-link"> Explore the results </a> </h2> <a class="alt btn" hreflang="en" href="https://docs.google.com/spreadsheets/d/1wDGnUkO0rgcU5_V6hmUrhm1pq60VU2XbeMHgYJEEaSM/"> <svg width="18" height="18" role="img" aria-hidden="true"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#bar-chart-logo"></use> </svg> View results </a> <a class="alt btn" hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/tree/main/sql/2024/cookies/"> <svg width="18" height="18" role="img" aria-hidden="true"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#sql-logo"></use> </svg> View queries </a> <a class="alt btn" hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/issues/new?assignees=&labels=bug%2C+writing&title=Issue+with+the+2024+cookies+chapter"> <svg width="19" height="18" role="img" aria-hidden="true"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> Suggest edit </a> <a class="alt btn" hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/issues/923/"> <svg width="18" height="18" role="img" aria-hidden="true"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#globe-logo"></use> </svg> Help translate </a> </div> <section class="webmentions js-enable hidden"> <div id="reactions" class="no-reactions"> <h2> <a href="#reactions" class="anchor-link">Reactions</a> </h2> <div class="reactions" data-source="View source"> <div class="reaction-tabs" role="tablist" aria-label="reactions"> <button id="likes-tab" role="tab" aria-selected="true" aria-controls="likes-panel" tabindex="0" class="no-reactions"> <span id="likes-count">0</span> <span id="likes-label" data-singular="like" data-plural="likes" data-plural-alt="">likes</span> </button> <button id="reposts-tab" role="tab" aria-selected="false" aria-controls="reposts-panel" tabindex="-1" class="no-reactions"> <span id="reposts-count">0</span> <span id="reposts-label" data-singular="repost" data-plural="reposts" data-plural-alt="">reposts</span> </button> <button id="replies-tab" role="tab" aria-selected="false" aria-controls="replies-panel" tabindex="-1" class="no-reactions"> <span id="replies-count">0</span> <span id="replies-label" data-singular="reply" data-plural="replies" data-plural-alt="">replies</span> </button> <button id="mentions-tab" role="tab" aria-selected="false" aria-controls="mentions-panel" tabindex="-1" class="no-reactions"> <span id="mentions-count">0</span> <span id="mentions-label" data-singular="mention" data-plural="mentions" data-plural-alt="">mentions</span> </button> </div> <div id="likes-panel" role="tabpanel" tabindex="0" aria-labelledby="likes-tab"> </div> <div id="reposts-panel" role="tabpanel" tabindex="0" aria-labelledby="reposts-tab" hidden> </div> <div id="replies-panel" role="tabpanel" tabindex="0" aria-labelledby="replies-tab" hidden> </div> <div id="mentions-panel" role="tabpanel" tabindex="0" aria-labelledby="mentions-tab" hidden> </div> </div> </div> </section> <section class="authors"> <h2 id="authors"> <a href="#authors" class="anchor-link"> Authors </a> </h2> <ul> <li> <div aria-hidden="true"> <a href="/en/2024/contributors#yohhaan" tabindex="-1"> <img class="avatar" alt="Yohan Beugin avatar" src="https://avatars.githubusercontent.com/u/32905060?v=4&s=200" height="200" width="200" loading="lazy"> </a> </div> <div class="info"> <a href="/en/2024/contributors#yohhaan"><span class="name">Yohan Beugin</span></a> <div class="social"> <a class="github" href="https://github.com/yohhaan" aria-labelledby="author-yohhaan-github"> <svg width="22" height="20"> <title id="author-yohhaan-github">yohhaan on GitHub</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> yohhaan </a> <a class="website" href="https://yohan.beugin.org" aria-labelledby="author-yohhaan-website"> <svg width="22" height="22"> <title id="author-yohhaan-website">Yohan Beugin website</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#globe-logo"></use> </svg> https://yohan.beugin.org </a> </div> <div class="bio"> Yohan Beugin is a Ph.D. student in the Department of Computer Sciences at the University of Wisconsin鈥揗adison where he is a member of the Security and Privacy Research Group and advised by Prof. Patrick McDaniel. He is interested in building more secure, privacy-preserving, and trustworthy systems. His current research so far has focused on tracking and privacy in online advertising. </div> </div> </li> <li> <div aria-hidden="true"> <a href="/en/2024/contributors#samdutton" tabindex="-1"> <img class="avatar" alt="Sam Dutton avatar" src="https://avatars.githubusercontent.com/u/205226?v=4&s=200" height="200" width="200" loading="lazy"> </a> </div> <div class="info"> <a href="/en/2024/contributors#samdutton"><span class="name">Sam Dutton</span></a> <div class="social"> <a class="twitter" href="https://x.com/sw12" aria-labelledby="author-samdutton-twitter"> <svg width="22" height="22" role="img"> <title id="author-samdutton-twitter">@sw12 on Twitter/X</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#twitter-logo"></use> </svg> @sw12 </a> <a class="github" href="https://github.com/samdutton" aria-labelledby="author-samdutton-github"> <svg width="22" height="20"> <title id="author-samdutton-github">samdutton on GitHub</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> samdutton </a> <a class="website" href="https://simpl.info" aria-labelledby="author-samdutton-website"> <svg width="22" height="22"> <title id="author-samdutton-website">Sam Dutton website</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#globe-logo"></use> </svg> https://simpl.info </a> </div> <div class="bio"> Sam Dutton is a Developer Advocate with the Privacy Sandbox team at Google, focused on helping sites migrate away from relying on third-party cookies. Sam grew up in South Australia, went to university in Sydney, and has lived since 1986 in London. He previously worked as a software engineer at BBC R&D and ITN, as a typesetter for Decca Records, and as a researcher at Picador Books. </div> </div> </li> <li> <div aria-hidden="true"> <a href="/en/2024/contributors#ydimova" tabindex="-1"> <img class="avatar" alt="Yana Dimova avatar" src="/static/images/avatars/11.jpg" height="200" width="200" loading="lazy"> </a> </div> <div class="info"> <a href="/en/2024/contributors#ydimova"><span class="name">Yana Dimova</span></a> <div class="social"> <a class="github" href="https://github.com/ydimova" aria-labelledby="author-ydimova-github"> <svg width="22" height="20"> <title id="author-ydimova-github">ydimova on GitHub</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> ydimova </a> </div> <div class="bio"> Yana Dimova is a PhD student at DistriNet, KU Leuven, focusing on the user’s perspective of privacy and how they can protect it on the web. Her research interests are online tracking, personal data leaks and privacy and data protection law. </div> </div> </li> </ul> </section> <section class="citation-box"> <h2 id="cite"> <a href="#cite" class="anchor-link">Citation</a> </h2> <details> <summary>BibTeX</summary> <pre id="bibtex-citation"> @inbook{WebAlmanac.2024.Cookies, author = "Beugin, Yohan and Dutton, Sam and Dimova, Yana and Merewood, Rowan and Pollard, Barry", title = "Cookies", booktitle = "The 2024 Web Almanac", chapter = 21, publisher = "HTTP Archive", year = "2024", language = "English", doi = "10.5281/zenodo.14065903", url = "https://almanac.httparchive.org/en/2024/cookies" }</pre> </details> </section> <div id="cta-container" class="invisible"> <a class="alt btn chapter-cta comment-cta webmentions-cta hidden" href="#reactions"> <svg width="22" height="22" role="img" aria-hidden="true"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#comment-logo"></use> </svg> <span class="num-reactions"></span> <span class="reactions-label" data-singular="reaction" data-plural="reactions" data-plural-alt="">Reactions</span> </a> <button class="alt btn chapter-cta share-cta hidden"> <svg width="22" height="22" role="img" aria-hidden="true" class="apple-icon hidden"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#share-apple-logo"></use> </svg> <svg width="22" height="22" role="img" aria-hidden="true" class="android-icon"> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#share-android-logo"></use> </svg> Share </button> </div> <nav aria-label="Previous and next chapter navigation" id="chapter-navigation"> <a id="previous-chapter" title="Previous Chapter (press 'p' or ',')" href="/en/2024/cdn"> <span class="arrow" aria-hidden="true">⌃</span> <span class="chapter-no"> Chapter 19 </span> <span class="chapter-title"> CDN </span> </a> </nav> </div> </main> </div> <footer id="footer" class="alt-bg"> <div class="container"> <div class="home-logo"> <a class="navigation-logo" href="/en/2024/"> <span class="wa">Web Almanac</span> <span class="line-group"> <span class="pre">By</span> <span class="ha">HTTP Archive</span> </span> </a> </div> <hr> <nav id="footer-nav-items" aria-label="Footer navigation" class="nav-items"> <ul> <li><a href="/en/2024/contributors">Contributors</a></li> <li><a href="/en/2024/methodology">Methodology</a></li> <li> <a class="nav-dropdown-btn js-hide" href="/en/search">Search</a> <div class="nav-dropdown footer search-nav js-enable hidden"> <button type="button" class="nav-dropdown-btn search-button" aria-expanded="false"> Search </button> <ul class="nav-dropdown-list align-right hidden footer-search"> <li class="nav-dropdown-list-part"> <form action="/en/search"> <label for="footer-search-box" class="visually-hidden">Search</label> <input id="footer-search-box" class="search-input" type="search" name="q" placeholder="Search" title="Search" aria-label="Search"> <button class="search-button" type="submit"> <svg width="13" height="13" role="img" aria-labelledby="footer-search-icon"> <title id="footer-search-icon">Search</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#search-logo"></use> </svg> </button> </form> </li> </ul> </div> </li> <li> <a class="nav-dropdown-btn js-hide" href="/en/2024/table-of-contents">Table of Contents</a> <div class="nav-dropdown footer table-of-contents js-enable hidden"> <button type="button" class="nav-dropdown-btn" aria-expanded="false" aria-label="Table of Contents" > Table of Contents </button> <ul class="nav-dropdown-list hidden footer-list"> <li class="nav-dropdown-list-part"> <a href="/en/2024/">Home</a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents">Table of Contents</a> </li> <li class="nav-dropdown-list-chapter foreword"> <a href="/en/2024/table-of-contents#foreword">Foreword</a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-1">Part I. Page Content</a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 1: CSS</span> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 2: JavaScript</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/markup"> Chapter 3: Markup </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/structured-data"> Chapter 4: Structured Data </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/fonts"> Chapter 5: Fonts </a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 6: Media</span> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 7: WebAssembly</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/third-parties"> Chapter 8: Third Parties </a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-2">Part II. User Experience</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/seo"> Chapter 9: SEO </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/accessibility"> Chapter 10: Accessibility </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/performance"> Chapter 11: Performance </a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 12: Privacy</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/security"> Chapter 13: Security </a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-3">Part III. Content Publishing</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/cms"> Chapter 14: CMS </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/ecommerce"> Chapter 15: Ecommerce </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/jamstack"> Chapter 16: Jamstack </a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/sustainability"> Chapter 17: Sustainability </a> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#part-4">Part IV. Content Distribution</a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 18: Page Weight</span> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/cdn"> Chapter 19: CDN </a> </li> <li class="nav-dropdown-list-chapter"> <span class="nav-dropdown-list-todo">Chapter 20: HTTP</span> </li> <li class="nav-dropdown-list-chapter nav-dropdown-list-current"> <span> Chapter 21: Cookies </span> </li> <li class="nav-dropdown-list-part"> <a href="/en/2024/table-of-contents#appendices">Appendices</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/methodology">Methodology</a> </li> <li class="nav-dropdown-list-chapter"> <a href="/en/2024/contributors">Contributors</a> </li> <li class="nav-dropdown-list-part"> <a href="/en/search">Search</a> </li> </ul> </div> </li> <li> <div class="nav-dropdown footer"> <button type="button" class="nav-dropdown-btn js-enable" disabled aria-expanded="false" aria-label="Year Switcher">2024</button> <ul class="nav-dropdown-list hidden footer-list"> <li class="unsupported-year"> <a href="/en/2022/">2022 Home</a> </li> <li class="unsupported-year"> <a href="/en/2021/">2021 Home</a> </li> <li class="unsupported-year"> <a href="/en/2020/">2020 Home</a> </li> <li class="unsupported-year"> <a href="/en/2019/">2019 Home</a> </li> </ul> </div> </li> <li> <div class="nav-dropdown footer"> <button type="button" class="nav-dropdown-btn js-enable" disabled aria-expanded="false" aria-label="Language Switcher" >English</button> <ul class="nav-dropdown-list hidden footer-list"> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org/wiki/Translators'-Guide"><em>Help translate</em></a> </li> </ul> </div> </li> </ul> </nav> <nav id="mobile-footer-nav-items" aria-label="Footer navigation" class="nav-items"> <ul> <li><a href="/en/2024/contributors">Contributors</a></li> <li><a href="/en/2024/methodology">Methodology</a></li> <li> <form class="search-nav" action="/en/search"> <label for="mobile-footer-search-box" class="visually-hidden">Search</label> <input id="mobile-footer-search-box" class="search-input" type="search" name="q" placeholder="Search" title="Search" aria-label="Search"> <button class="search-button" type="submit"> <svg width="13" height="13" role="img" aria-labelledby="mobile-footer-search-icon"> <title id="mobile-footer-search-icon">Search</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#search-logo"></use> </svg> </button> </form> </li> <li> <a class="js-hide" href="/en/2024/table-of-contents">Table of Contents</a> <div class="table-of-contents-switcher js-enable hidden"> <label for="table-of-contents-switcher-mobile-footer" class="visually-hidden"> Table of Contents Switcher </label> <select id="table-of-contents-switcher-mobile-footer" data-label="toc-menu-mobile"> <option value="/en/2024/">Home</option> <option value="/en/2024/table-of-contents">Table of Contents</option> <option value="/en/2024/table-of-contents#foreword">Foreword</option> <option disabled> Chapter 1: CSS </option> <option disabled> Chapter 2: JavaScript </option> <option value="/en/2024/markup"> Chapter 3: Markup </option> <option value="/en/2024/structured-data"> Chapter 4: Structured Data </option> <option value="/en/2024/fonts"> Chapter 5: Fonts </option> <option disabled> Chapter 6: Media </option> <option disabled> Chapter 7: WebAssembly </option> <option value="/en/2024/third-parties"> Chapter 8: Third Parties </option> <option value="/en/2024/seo"> Chapter 9: SEO </option> <option value="/en/2024/accessibility"> Chapter 10: Accessibility </option> <option value="/en/2024/performance"> Chapter 11: Performance </option> <option disabled> Chapter 12: Privacy </option> <option value="/en/2024/security"> Chapter 13: Security </option> <option value="/en/2024/cms"> Chapter 14: CMS </option> <option value="/en/2024/ecommerce"> Chapter 15: Ecommerce </option> <option value="/en/2024/jamstack"> Chapter 16: Jamstack </option> <option value="/en/2024/sustainability"> Chapter 17: Sustainability </option> <option disabled> Chapter 18: Page Weight </option> <option value="/en/2024/cdn"> Chapter 19: CDN </option> <option disabled> Chapter 20: HTTP </option> <option disabled selected value="/en/2024/cookies"> Chapter 21: Cookies </option> <option value="/en/2024/methodology"> Methodology </option> <option value="/en/2024/contributors"> Contributors </option> <option value="/en/search"> Search </option> </select> </div> </li> <li> <div class="year-switcher js-show"> <label for="year-switcher-mobile-footer" class="visually-hidden">Year Switcher</label> <select id="year-switcher-mobile-footer"> <option selected="selected" value="/en/2024/cookies"> 2024 </option> <option value="/en/2022/"> 2022 Home </option> <option value="/en/2021/"> 2021 Home </option> <option value="/en/2020/"> 2020 Home </option> <option value="/en/2019/"> 2019 Home </option> </select> </div> </li> <li> <div class="language-switcher js-show"> <label for="language-switcher-mobile-footer" class="visually-hidden">Language Switcher</label> <select id="language-switcher-mobile-footer"> <option selected="selected" lang="en" value="/en/2024/cookies"> English </option> <hr> <option value="https://github.com/HTTPArchive/almanac.httparchive.org/wiki/Translators'-Guide"> Help translate </option> </select> </div> </li> </ul> </nav> <div id="footer-mobile-social-media" class="mobile-ha-social-media"> <a class="ha-logo" href="https://httparchive.org/" aria-labelledby="httparchive-logo-footer-mobile"> <svg width="70" height="35" role="img"> <title id="httparchive-logo-footer-mobile">HTTP Archive home</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#ha-logo"></use> </svg> </a> <ul class="social-media"> <li> <a href="https://x.com/HTTPArchive" aria-labelledby="twitter-logo-footer-mobile"> <svg width="20" height="20" role="img"> <title id="twitter-logo-footer-mobile">Twitter</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#twitter-logo"></use> </svg> </a> </li> <li> <a href="https://bsky.app/profile/httparchive.org" aria-labelledby="bluesky-logo-footer-mobile"> <svg width="20" height="20" role="img"> <title id="bluesky-logo-footer-mobile">Bluesky</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#bluesky-logo"></use> </svg> </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org" rel="me" aria-labelledby="github-logo-footer-mobile"> <svg width="22" height="20" role="img"> <title id="github-logo-footer-mobile">GitHub</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> </a> </li> </ul> </div> <hr> <p class="copyright"> <span>漏 Web Almanac. Licensed under <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/blob/main/LICENSE">Apache 2.0</a>.</span> <br> <a class="accessibility-statement" href="/en/accessibility-statement">Accessibility Statement</a> <span class="footer-bullet">&bullet;</span> <a class="rss-feed" href="/en/rss.xml">RSS Feed</a> </p> <a class="ha-logo not-mobile" href="https://httparchive.org/" aria-labelledby="ha-logo-footer"> <svg width="70" height="35" role="img"> <title id="ha-logo-footer">HTTP Archive home</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#ha-logo"></use> </svg> </a> <ul class="social-media not-mobile"> <li> <a href="https://x.com/HTTPArchive" aria-labelledby="twitter-logo-footer"> <svg width="20" height="20" role="img"> <title id="twitter-logo-footer">Twitter</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#twitter-logo"></use> </svg> </a> </li> <li> <a href="https://bsky.app/profile/httparchive.org" aria-labelledby="bluesky-logo-footer"> <svg width="20" height="20" role="img"> <title id="bluesky-logo-footer">Bluesky</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#bluesky-logo"></use> </svg> </a> </li> <li> <a href="https://github.com/HTTPArchive/almanac.httparchive.org" rel="me" aria-labelledby="github-logo-footer"> <svg width="22" height="20" role="img"> <title id="github-logo-footer">GitHub</title> <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#github-logo"></use> </svg> </a> </li> </ul> </div> </footer> <script async src="/static/js/almanac.js?v=1830c897b7a91e8f3ba7a8c08e07540d" nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"></script> <script defer src="/static/js/webmentions.js?v=dbb31a967a22e06b6c1bb62d7a9ff9a0" nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"></script> <script async src="https://www.googletagmanager.com/gtag/js?id=G-PQ5N2MZG5M" nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"></script> <link rel="preconnect" href="https://www.google-analytics.com"> <script defer src="/static/js/web-vitals.js?v=f6f30f40e7d014a2d38f1362c5eb6244" nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"></script> <script defer src="/static/js/send-web-vitals.js?v=b7224f484fe762e075d4838286ddb066" nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"></script> <script type="speculationrules" nonce="b8KvVH8Y-81GrbK28KoRnoygpUBdyOTP"> { "prerender": [ { "source": "document", "where": { "and": [ {"href_matches": "/*"}, {"not": {"href_matches": "/static/*"}} ] }, "eagerness": "moderate" } ] } </script> </body> </html>

CINXE.COM

Cookies | 2024 | The Web Almanac by HTTP Archive