For an extension to use this API, it must specify the"cookies"API permission in itsmanifest.json file andhost permissions for any sites whose cookies it wants to access. The extension can get, set, or remove any cookies that can be read, written, or deleted by a URL matching the host permissions. For example:

http://*.example.com/

An extension with this host permission can:

• Read a non-secure cookie forwww.example.com with any path.
• Write a secure or non-secure cookie forwww.example.com with any path.

It cannot:

• Read a secure cookie forwww.example.com.

http://www.example.com/

An extension with this host permission can:

• Read a non-secure cookie forwww.example.com with any path.
• Read a non-secure cookie for.example.com with any path.
• Write a secure or non-secure cookie forwww.example.com with any path.
• Write a secure or non-secure cookie for.example.com with any path.

It cannot:

• Read or write a cookie forfoo.example.com.
• Read or write a cookie forfoo.www.example.com.

*://*.example.com/

An extension with this host permission can:

• Read or write a secure or non-secure cookie forwww.example.com with any path.

Trackers use third-party cookies, that is, cookies set by a website other than the one you are on, to identify the websites you visit. For example:

1. You visita-shopping-site.com, which usesad-tracker.com to deliver its adverts on the web.ad-tracker.com sets a cookie associated with thead-tracker.com domain. While you are ona-shopping-site.com,ad-tracker.com receives information about the products you browse.
2. You now visita-news-site.com that usesad-tracker.com to deliver adverts.ad-tracker.com read its cookie and use the information collected froma-shopping-site.com to decide which adverts to display to you.

Firefox includes two features to prevent tracking:dynamic partitioning andfirst-party isolation. These features separate cookies so that trackers cannot make an association between websites visited. So, in the preceding example,ad-tracker.com cannot see the cookie created ona-news-site.com when visitinga-shopping-site.com.

From Firefox 103, dynamic partitioning is the default feature used. However, if the user or an extension turns on first-party isolation, it takes precedence over dynamic partitioning.

When usingdynamic partitioning, Firefox partitions the storage accessible to JavaScript APIs by top-level site while providing appropriate access to unpartitioned storage to enable common use cases. This feature is being rolled out progressively. SeeStatus of partitioning in Firefox, for implementation details.

Storage partitions are keyed by the schemeful URL of the top-levelwebsite and, when dynamic partitioning is active, the key value is available through thepartitionKey.topLevelSite property in the cookies API, for example,partitionKey: {topLevelSite: "http://site"}.

Generally, top-level documents are in unpartitioned storage, while third-party iframes are in partitioned storage. If a partition key cannot be determined, the default (unpartitioned storage) is used. For example, while all HTTP(S) sites can be used as a partition key,moz-extension:- URLs cannot. Therefore, iframes in Firefox's extension documents do not use partitioned storage.

By default,cookies.get(),cookies.getAll(),cookies.set(), andcookies.remove() work with cookies in unpartitioned storage. To work with cookies in partitioned storage in these APIs,topLevelSite inpartitionKey must be set. The exception isgetAll, where settingpartitionKey withouttopLevelSite returns cookies in partitioned and unpartitioned storage.cookies.onChanged fires for any cookie that the extension can access, including cookies in partitioned storage. To ensure that the correct cookie is modified, extensions should read thecookie.partitionKey property from the event and pass its value tocookies.set() andcookies.remove().

When first-party isolation is on, cookies are qualified by the domain of the original page the user visited (essentially, the domain shown to the user in the URL bar, also known as the "first-party domain").

First-party isolation can be enabled by the user by adjusting the browser's configuration and set by extensions using thefirstPartyIsolate setting in theprivacy API. Note that first-party isolation is enabled by default inTor Browser.

Thecookies API represents the first-party domain using thefirstPartyDomain attribute. All cookies set while first-party isolation is on have this attribute set to the domain of the original page. In the preceding example, this isa-shopping-site.com for one cookie anda-news-site.com for the other. When first-party isolation is off, all cookies set by websites have this property set to an empty string.

Thecookies.get(),cookies.getAll(),cookies.set() andcookies.remove() APIs all accept afirstPartyDomain option.

When first-party isolation is on, you must provide this option or the API call fails and returns a rejected promise. Forget(),set(), andremove() you must pass a string value. ForgetAll(), you may also passnull here, and this gets all cookies, whether or not they have a non-empty value forfirstPartyDomain.

When first-party isolation is off, thefirstPartyDomain parameter is optional and defaults to an empty string. A non-empty string can be used to retrieve or modify first-party isolation cookies. Likewise, passingnull asfirstPartyDomain togetAll() returns all cookies.

cookies.Cookie

Represents information about an HTTP cookie.

cookies.CookieStore

Represents a cookie store in the browser.

cookies.OnChangedCause

Represents the reason a cookie changed.

cookies.SameSiteStatus

Represents the same-site status of the cookie.

cookies.get()

Retrieves information about a single cookie.

cookies.getAll()

Retrieves all cookies that match a given set of filters.

cookies.set()

Sets a cookie with the given cookie data; may overwrite equivalent cookies if they exist.

cookies.remove()

Deletes a cookie by name.

cookies.getAllCookieStores()

Lists all existing cookie stores.

cookies.onChanged

Fired when a cookie is set or removed.

• cookie-bg-picker
• list-cookies