You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/en/2025/cookies.md
+21-22Lines changed: 21 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,17 +25,16 @@ doi: ...TODO
25
25
26
26
[Cookies](https://developer.mozilla.org/docs/Web/HTTP/Cookies) allow websites to save data and maintain state information across HTTP requests, a stateless protocol. Web applications use cookies for several purposes, like authentication, fraud prevention and security, or remembering preferences and user choices, etc. However, ever since their introduction in the mid-1990s, cookies have also played a dominant role in online tracking of web users.
27
27
28
-
Over the years, browser vendors such as Brave, Firefox, and Safari have imposed restrictions, partitioned, and removed third-party cookies. If initially Google Chrome appeared to follow in these steps by announcing <ahreflang="en"href="https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html">plans to block all third-party cookies</a>, several delays and postponements later, Google eventually decided to <ahreflang="en"href="https://privacysandbox.com/news/update-on-plans-for-privacy-sandbox-technologies/">maintain their current approach in Chrome</a>.
28
+
Over the years, browser vendors such as Brave, Firefox, and Safari have imposed restrictions, partitioned, and removed third-party cookies. While Chrome initially appeared to follow in these same steps by announcing <ahreflang="en"href="https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html">plans to block all third-party cookies</a>, several delays and postponements later, Google eventually decided to <ahreflang="en"href="https://privacysandbox.com/news/update-on-plans-for-privacy-sandbox-technologies/">maintain their current approach in Chrome</a>. As a result, cookies—the focus of this 2025 Web Almanac Chapter—remain an essential component in today's web landscape.
29
29
30
-
As a result, cookies—the focus of this 2025 Web Almanac Chapter—remain an essential component in today's web landscape. Next, we measure and report on the prevalence and structure of web cookies encountered on the webpages visited by the HTTP Archive crawl of July 2025. The majority of the results that follow, except when mentioned otherwise, are for the top one million (top 1M) most popular websites according to their rank in Chrome User Experience report (i.e., CrUX rank). We also report for both desktop and mobile devices; although, in practice for the results we look at, we do not observe any significant difference between the two types of devices.
30
+
In the chapter below, we measure and report on the prevalence and structure of web cookies encountered on the webpages visited by the HTTP Archive crawl of July 2025. The majority of these results, except when mentioned otherwise, are for the top one million (top 1M) most popular websites according to their rank in the Chrome User Experience report (i.e., CrUX rank). Results are also shown for both desktop and mobile devices; although, in practice for our results we rarely any significant difference between the two types of devices.
31
31
32
32
## Background
33
33
34
-
To avoid repetitions and overlap with concepts and definitions already explained in the 2024 Cookies chapter, we refer interested readers to last year's [Definitions section](../2024/cookies#definitions) for an overview of the different types of cookies and the privacy and security risks they can pose.
34
+
To avoid repetitions and overlap with concepts and definitions already explained in the 2024 Cookies chapter, we refer interested readers to last year's [Definitions section](../2024/cookies#definitions) for (a) an overview of the different types of cookies and (b) the privacy and security risks they can pose.
35
35
36
36
{# TODO check that previous link to 2024 is correct #}
37
37
38
-
{# TODO add links to all charts below #}
39
38
{# TODO ask if queries should be uploaded for 2025, although we reused the ones from 2024 #}
40
39
{# TODO resolves all todos left in document #}
41
40
@@ -45,7 +44,7 @@ To avoid repetitions and overlap with concepts and definitions already explained
45
44
image="first-and-third-party-prevalence.png",
46
45
caption="First- and third-party prevalence.",
47
46
description="Bar chart showing the prevalence of first- and third-party cookies on desktop and mobile clients. On desktop: 41% first- and 59% third-party cookies. On mobile: 40% first- and 60% third-party.",
caption="First- and third-party prevalence of cookies by rank on desktop clients.",
59
58
description="Bar chart showing the prevalence of first- and third-party cookies on desktop clients according to the popularity of the website. We see that more popular websites set significantly more third-party cookies. For the top 1k most popular websites on desktop clients, 78% of cookies set are third-party, while for the top 1M websites, 59% of cookies are third-party.",
caption="First- and third-party prevalence of cookies by rank on mobile clients.",
69
68
description="Bar chart showing the prevalence of first- and third-party cookies on mobile clients according to the popularity of the website. We see that more popular websites set significantly more third-party cookies. For the top 1k most popular websites on desktop clients, 78% of cookies set are third-party, while for the top 1M websites, 60% of cookies are third-party.",
@@ -81,7 +80,7 @@ We observe from [Figure 2](#fig-2) and [Figure 3](#fig-3) that the most visited
81
80
image="cookies-attributes-overview-desktop.png",
82
81
caption="An overview of cookie attributes for desktop clients.",
83
82
description="This figures gives an overview of how cookie attributes are used for desktop clients for both first- and third-party cookies. 100% of third-party cookies include the `SameSite` and `Secure` attributes. Only 1% of first-party cookies and 10% of third-party cookies use `Partioned`. 19% of first-party cookies set their `Session` attribute, while this is the case for only 7% of third-party cookies. Finally, 12% of first-party cookies and 28% of third-party cookies use the `HttpOnly` attribute.",
@@ -91,7 +90,7 @@ We observe from [Figure 2](#fig-2) and [Figure 3](#fig-3) that the most visited
91
90
image="cookies-attributes-overview-mobile.png",
92
91
caption="An overview of cookie attributes for mobile clients.",
93
92
description="This figures gives an overview of how cookie attributes are used for mobile clients for both first- and third-party cookies. We observe the exact same results as for desktop clients. 100% of third-party cookies include the `SameSite` and `Secure` attributes. Only 1% of first-party cookies and 9% of third-party cookies use `Partioned`. 19% of first-party cookies set their `Session` attribute, while this is the case for only TODO% of third-party cookies. Finally, 12% of first-party cookies and 26% of third-party cookies use the `HttpOnly` attribute.",
@@ -109,7 +108,7 @@ On [compatible browsers](https://developer.mozilla.org/docs/Web/Privacy/Privacy_
109
108
image="top-third-party-CHIPS.png",
110
109
caption="Top partitioned cookies (CHIPS) in third-party context.",
111
110
description="A chart showing the top third-party domains setting partitioned cookies. The top partitioned cookies in third-party context are `cf_clearance` set by Cloudflare and is used for anti-bot challenge.",
@@ -123,7 +122,7 @@ So, in the past year YouTube appears to have altered how these cookies were set
123
122
image="top-first-party-CHIPS.png",
124
123
caption="Top partitioned cookies (CHIPS) in first-party context.",
125
124
description="A chart showing the top first-party partitioned cookies. The top cookie `cf_clearance` is set by Cloudflare on about 92% of pages, and indicates that the user has successfully completed bot detection.",
@@ -172,7 +171,7 @@ To learn more about the `SameSite` attribute, see the following references:
172
171
image="same-site-desktop.png",
173
172
caption="`SameSite` attribute for cookies on desktop client.",
174
173
description="Shows the prevalence of the `SameSite` attribute and its value for both first-party and third-party cookies on desktop clients. 3.31% of first-party cookies set the `SameSite` attribute to `Strict`, 19.23% use `SameSite=Lax` (which is the default), 11.21% set the value to `None` and 66.24% do not specify the value of `SameSite`. Nearly 100% of third-party cookies set the `SameSite` attribute to `None`, in order for these cookies to be sent in a cross-site context.",
@@ -182,7 +181,7 @@ To learn more about the `SameSite` attribute, see the following references:
182
181
image="same-site-mobile.png",
183
182
caption="`SameSite` attribute for cookies on mobile client.",
184
183
description="Shows the prevalence of the `SameSite` attribute and its value for both first-party and third-party cookies on mobile clients. We see very similar results as for desktop clients. 3.11% of first-party cookies set the `SameSite` attribute to `Strict`, 19.46% use `SameSite=Lax` (which is the default), 11.28% set the value to None and 66.15% do not specify the value of `SameSite`. Nearly 100% of third-party cookies set the `SameSite` attribute to `None`, in order for these cookies to be sent in a cross-site context.",
@@ -203,7 +202,7 @@ For first-party cookies, about 87% of them have the `SameSite=Lax` (20% explicit
203
202
image="cookie-prefixes-desktop.png",
204
203
caption="Cookie prefixes observed on desktop pages.",
205
204
description="Shows the observed cookies prefixes used on desktop pages. We see that 0.032% of first-party cookies and only 0.001% of third-party cookies include `__Host-`. Similarly, 0.03% of first-party cookies and 0.001% of third-party cookies include `__Secure-`. ",
@@ -213,7 +212,7 @@ For first-party cookies, about 87% of them have the `SameSite=Lax` (20% explicit
213
212
image="cookie-prefixes-mobile.png",
214
213
caption="Cookie prefixes observed on mobile pages.",
215
214
description="Shows the observed cookies prefixes used on mobile pages. We observe very similar results to the cookies prefixes used on desktop pages. We see that 0.031% of first-party cookies and only 0.001% of third-party cookies include `__Host-`. Similarly, 0.03% of first-party cookies and 0.001% of third-party cookies include `__Secure-`. ",
@@ -232,7 +231,7 @@ For first-party cookies, about 87% of them have the `SameSite=Lax` (20% explicit
232
231
image="top-first-party-cookies-set.png",
233
232
caption="Top first-party cookies set.",
234
233
description="The chart shows the most widely-set first-party cookies. Google Analytics sets the `_ga` and `_gcl_au` cookies, which are used for website statistics, analytics reports, and targeted advertising, on more than 60% and 25% of websites, respectively, for both mobile and desktop clients.",
@@ -244,7 +243,7 @@ For first-party cookies, about 87% of them have the `SameSite=Lax` (20% explicit
244
243
image="top-third-party-cookies-set.png",
245
244
caption="Top third-party cookies and domains that set them.",
246
245
description="The chart shows the most widely-set third-party cookies. DoubleClick sets third-party advertising cookies on a little over 35% of pages. Microsoft also sets advertising cookies on 23% of pages. All top 10 domains setting third-party cookies are related to tracking and advertising.",
description="The chart shows the most common domains that set cookies on the web. Google's owned advertising platform DoubleClick sets cookies on more than 33% of the top 1M websites while others in this top 10 domains are at about 5% to 15%.",
@@ -389,7 +388,7 @@ For first-party cookies, about 87% of them have the `SameSite=Lax` (20% explicit
389
388
image="number-cookies-cdf-desktop.png",
390
389
caption="Number of cookies per website (cdf) for desktop pages.",
391
390
description="The graph shows the cumulative distribution function for the number of cookies set on desktop pages. We see that more websites have a number of first-party cookies that is closer to the maximum of first-party cookies observed, than for third-party cookies.",
@@ -399,7 +398,7 @@ For first-party cookies, about 87% of them have the `SameSite=Lax` (20% explicit
399
398
image="number-cookies-cdf-mobile.png",
400
399
caption="Number of cookies per website (cdf) for mobile pages.",
401
400
description="The graph shows the cumulative distribution function for the number of cookies set on mobile pages. We see that more websites have a number of first-party cookies that is closer to the maximum of first-party cookies observed, than for third-party cookies. Additionally, we observe very similar results for both desktop and mobile websites.",
@@ -536,7 +535,7 @@ Most cookies used for tracking have a size greater than <a hreflang="en" href="h
536
535
image="size-cookies-cdf-desktop-mobile.png",
537
536
caption="Size of cookies per website (cdf) for desktop and mobile pages.",
538
537
description="The graph shows the cumulative distribution function for the number of cookies set on desktop and mobile pages. We see a very similar distribution for cookies sizes for both desktop and mobile clients.",
@@ -669,7 +668,7 @@ Most cookies used for tracking have a size greater than <a hreflang="en" href="h
669
668
image="age-cookies-cdf-desktop-mobile.png",
670
669
caption="Age of cookies per website (cdf) for desktop and mobile pages.",
671
670
description="The graph shows the cumulative distribution function for the age of cookies set on desktop and mobile pages. About 45% of cookies expire after 90 days. We find the same results for both mobile and desktop clients. Additionally, 50% of cookies have a lifespan of maximum just below 1 year, while the other half remain stored in the browser for longer than a year. We see a somewhat similar distribution for cookies sizes for both desktop and mobile clients.",
0 commit comments