Browser Landscape
📊 Storage Persistence Matrix
Section titled “📊 Storage Persistence Matrix”Maximum cookie and storage lifetimes by browser and mechanism under normal (non-private) browsing:
| Mechanism | Safari 26+ | Firefox (Standard) | Firefox (Strict) | Brave | Chrome | Edge (Balanced) |
|---|---|---|---|---|---|---|
JS document.cookie | 7 days (24h with link decoration) | 400 days | 400 days | 7 days | 400 days | 400 days |
HTTP Set-Cookie (same-IP first-party) | 400 days | 400 days | 400 days | 180 days | 400 days | 400 days |
HTTP Set-Cookie (CNAME, IP mismatch) | 7 days | 400 days | 400 days | blocked | 400 days | 400 days |
| Third-party cookies | blocked | partitioned (TCP) | blocked | blocked | allowed | varies by tracker classification |
| localStorage | 7 days without interaction | persistent | persistent | persistent | persistent | persistent |
| sessionStorage | session | session | session | session | session | session |
| IndexedDB | 7 days without interaction | persistent | persistent | persistent | persistent | persistent |
| Service Workers | 7 days without interaction | persistent | persistent | persistent | persistent | persistent |
Notes on the 400-day cap: this comes from the draft RFC 6265bis specification. Chromium enforces it since Chrome 104 (August 2022). Cookies requesting a longer Max-Age or Expires are silently capped. Safari and Firefox honor the 400-day ceiling in practice.
“Persistent” means the data survives until explicit deletion by the user, programmatic clearing, or browser-enforced maximum lifetime. It does not mean indefinite — all browsers reserve the right to evict storage under pressure.
For persistence strategy recommendations, see 02-identity-management.md.
🍎 Safari ITP (Intelligent Tracking Prevention)
Section titled “🍎 Safari ITP (Intelligent Tracking Prevention)”Safari’s ITP is not discretely versioned since ITP 2.3. Apple ships continuous improvements as part of WebKit releases. The system operates entirely on-device with no centralized blocklist.
Classification Model
Section titled “Classification Model”ITP classifies domains as trackers using an on-device machine learning model. The classifier evaluates per-domain (eTLD+1) statistics:
- Number of unique top-level domains where the domain appears as a subresource
- Number of unique top-level domains where the domain appears in an iframe
- Number of unique domains the domain redirects to (bounce tracking detection)
- Tracker collusion: if domain A redirects to classified domain B, domain A inherits the classification. This propagates recursively through the redirect graph.
No blocklist is used. No data leaves the device. A domain is classified based solely on its behavioral patterns as observed by the individual user’s browser.
Cookie Lifetime Rules
Section titled “Cookie Lifetime Rules”| How the cookie is set | Maximum lifetime | Conditions |
|---|---|---|
document.cookie (JavaScript) | 7 days | All JavaScript-set first-party cookies |
document.cookie with link decoration from classified tracker | 24 hours | Referrer is a classified tracking domain AND URL contains known click identifiers (gclid, fbclid, msclkid, etc.) |
Set-Cookie HTTP header, server IP matches site IP | 400 days | Genuine first-party: the server setting the cookie resolves to the same IP address as the website |
Set-Cookie HTTP header, server IP does not match site IP | 7 days | Includes CNAME-to-third-party setups. Safari 16.4+ (March 2023) checks IP address matching via A/AAAA DNS records |
Script-Writable Storage Purge
Section titled “Script-Writable Storage Purge”ITP deletes all script-writable storage after 7 days of Safari use without the user visiting the site. Affected:
- localStorage
- IndexedDB
- Service Worker registrations and cache
- Media keys
The 7-day clock resets each time the user visits the site (a full page navigation, not a subresource load). In third-party contexts, localStorage and IndexedDB are partitioned by the top-level domain.
CNAME Cloaking Detection
Section titled “CNAME Cloaking Detection”Active since Safari 14 / macOS Big Sur (November 2020). If a first-party subdomain resolves via CNAME to a third-party domain with a different IP address, Safari treats cookies from that subdomain as third-party and caps them at 7 days. Since Safari 16.4 (March 2023), the check extends to A/AAAA DNS records — any DNS configuration where the server IP does not match the website IP triggers the 7-day cap.
Safari 26 (September 2025)
Section titled “Safari 26 (September 2025)”- Advanced Fingerprinting Protection (AFP): on by default for all users. Restricts known fingerprinting scripts from accessing Canvas (2D), WebGL, and Web Audio APIs. Affects high-entropy screen measurements.
- Advanced Tracking and Fingerprinting Protection (ATFP): optional toggle, on by default in Private Browsing only. Adds link decoration stripping and stricter tracking domain blocking.
- Link Tracking Protection (LTP): strips tracking parameters (
gclid,fbclid, etc.) in Private Browsing, Mail, and Messages. NOT active in standard browsing as of Safari 26.
Cookie Lifetime Decision Tree
Section titled “Cookie Lifetime Decision Tree”🦊 Firefox Enhanced Tracking Protection (ETP)
Section titled “🦊 Firefox Enhanced Tracking Protection (ETP)”Firefox ships three ETP modes. The default is Standard.
Standard Mode (Default)
Section titled “Standard Mode (Default)”| What is blocked | Details |
|---|---|
| Social media trackers | Blocked (Facebook, Twitter, LinkedIn tracking scripts) |
| Cross-site tracking cookies | Partitioned via Total Cookie Protection (TCP) — each top-level site gets its own cookie jar |
| Cryptominers | Blocked |
| Known fingerprinters | Blocked |
| Tracking content | Blocked in Private Browsing only |
Strict Mode
Section titled “Strict Mode”Everything in Standard, plus:
| What is blocked | Details |
|---|---|
| Tracking content | Blocked in all windows (not just Private Browsing) |
| All cross-site cookies | Fully blocked (not just partitioned) |
| Bounce tracking | Storage purged for classified bounce trackers (Bounce Tracking Protection, Firefox 133+, November 2024) |
Tracker Lists
Section titled “Tracker Lists”Firefox uses the Disconnect.me tracker list:
- Level 1 (Standard mode): Advertising, Analytics, Social categories. Excludes “Content” category to minimize site breakage.
- Level 2 (Strict mode): Includes the “Content” category.
An entity list exempts same-company domains. If analytics.example.com is on the blocklist but owned by example.com, it is not blocked on example.com.
Total Cookie Protection (TCP)
Section titled “Total Cookie Protection (TCP)”Default for all Firefox users since June 2022. Every website gets its own cookie jar. A third-party cookie set on site A cannot be read when that same third party appears on site B. Third-party cookies still function within a single site’s context, but they are partitioned by top-level site. Exceptions exist for cross-site login flows (heuristic detection of SSO patterns).
TCP does not restrict first-party cookie lifetimes. First-party cookies persist up to the browser-enforced maximum.
Bounce Tracking Protection (Firefox 133+)
Section titled “Bounce Tracking Protection (Firefox 133+)”Enabled in Strict mode. Detects “extended navigations” — chains of short-lived redirects where the intermediate site accesses cookies or storage. Classified bounce tracker sites have cookies, site data, and cache purged periodically. Sites the user has directly interacted with in the last 45 days are exempt.
First-Party Storage
Section titled “First-Party Storage”Firefox applies no time-based restrictions to first-party cookies, localStorage, IndexedDB, or Service Workers in either Standard or Strict mode. First-party storage is persistent until cleared by the user or by code.
🦁 Brave Shields
Section titled “🦁 Brave Shields”Brave Shields are on by default for all users. The default level is Standard.
Cookie and Storage Lifetimes
Section titled “Cookie and Storage Lifetimes”| Mechanism | Lifetime |
|---|---|
JS document.cookie | 7 days maximum |
HTTP Set-Cookie (first-party) | 180 days (6 months) maximum |
| Third-party cookies | Blocked by default |
| Third-party storage in frames | Ephemeral: partitioned by top-level origin, cleared when last tab with that origin closes |
Brave enforces these limits regardless of tracker classification. All JavaScript-set cookies are capped at 7 days. All HTTP-set first-party cookies are capped at 180 days. These are hard browser-level limits, not configurable by the user.
Ephemeral Third-Party Storage
Section titled “Ephemeral Third-Party Storage”Third-party storage in iframes is partitioned by top-level origin. When the last tab for that top-level origin closes, the partitioned storage is destroyed. On browser quit, all partitioned storage is cleared regardless of the “continue where you left off” setting.
Fingerprint Farbling
Section titled “Fingerprint Farbling”Brave uses session-level randomization (“farbling”) on fingerprinting APIs:
- Canvas: randomized pixel data
- WebGL: randomized renderer strings
- AudioContext: noise injection
- User-Agent: randomized
- Screen dimensions, language, installed plugins: farbled
Each session produces a unique fingerprint per site. Cross-site fingerprint correlation is unreliable.
Brave sunset its “Strict” fingerprinting mode in favor of the farbling approach, which provides strong protection with less site breakage.
Filter Lists
Section titled “Filter Lists”Brave maintains its own ad and tracker blocking lists in addition to EasyList/EasyPrivacy. A Rust-based adblock engine (rewritten January 2026) processes these lists. Brave also introduced Cookiecrumbler, an LLM-powered system that auto-dismisses cookie consent banners.
🌐 Chrome
Section titled “🌐 Chrome”Third-Party Cookie Status
Section titled “Third-Party Cookie Status”Third-party cookies remain fully functional in Chrome as of 2026. Google reversed its deprecation plan:
- Original deprecation target: 2022, then 2023, then 2024
- July 2024: Google announced it would not deprecate third-party cookies
- April 2025: Google confirmed no cookie opt-in prompt would be rolled out
Third-party cookies are enabled by default in Chrome.
Privacy Sandbox
Section titled “Privacy Sandbox”Retired October 2025:
| Component | Status |
|---|---|
| Topics API | Retired |
| Protected Audience (PAAPI/FLEDGE) | Retired |
| Attribution Reporting API | Retired |
| CHIPS (cookie partitioning) | Retained |
| FedCM (Federated Credential Management) | Retained |
| Private State Tokens | Retained |
First-Party Storage
Section titled “First-Party Storage”Chrome applies minimal first-party storage restrictions:
- Cookies: 400-day maximum (enforced since Chrome 104, August 2022)
- localStorage: no time-based limit
- IndexedDB: no time-based limit
- Service Workers: no time-based limit
- No machine-learning tracker classification for first-party resources
Chrome is the most permissive major browser for tracking and storage. No built-in ad blocker. No fingerprinting protection. No first-party storage restrictions beyond the 400-day cookie cap.
🔷 Edge
Section titled “🔷 Edge”Tracking Prevention
Section titled “Tracking Prevention”Edge uses a three-tier tracking prevention system with the Disconnect.me tracker list:
| Level | What it blocks | Default |
|---|---|---|
| Basic | Known harmful trackers (cryptominers, fingerprinters) | No |
| Balanced | Trackers from unvisited sites + known harmful trackers | Yes |
| Strict | All trackers from all Disconnect.me categories including content trackers | No |
Cookie and Storage Behavior
Section titled “Cookie and Storage Behavior”Edge inherits Chromium’s cookie handling:
- 400-day cookie cap (same as Chrome)
- No first-party storage restrictions beyond tracker classification
- Third-party cookies: allowed by default, but storage access blocked for domains classified as trackers in Balanced mode
For classified tracker domains, Edge blocks storage access entirely in Balanced and Strict modes. For all other domains, behavior matches Chrome.
🕶️ Private / Incognito Mode
Section titled “🕶️ Private / Incognito Mode”All browsers: all storage is ephemeral. No persistence mechanism survives a private session close.
| Browser | Cookies | localStorage | sessionStorage | Third-party cookies |
|---|---|---|---|---|
| Safari (Private) | cleared on window close | cleared on window close | cleared on tab close | blocked |
| Firefox (Private) | cleared on window close | cleared on window close | cleared on tab close | blocked (TCP partitioned) |
| Chrome (Incognito) | cleared on window close | cleared on window close | cleared on tab close | blocked by default |
| Edge (InPrivate) | cleared on window close | in-memory only, not shared between tabs | cleared on tab close | blocked |
| Brave (Private) | cleared on window close | cleared on window close | cleared on tab close | blocked |
Edge InPrivate has a specific behavior: localStorage uses an in-memory store that behaves like sessionStorage and is not shared between tabs within the same InPrivate window.
Normal browsing storage is not accessible from private mode. The profiles are fully isolated. A user who opens a private window has no access to cookies or localStorage from their regular browsing session, and vice versa.
Session-only identity is the maximum capability in private/incognito mode. No cross-session persistence exists.
🛡️ Ad Blockers and Privacy Extensions
Section titled “🛡️ Ad Blockers and Privacy Extensions”Browser restrictions are only part of the constraint landscape. Client-installed extensions add a second layer.
Extension Categories
Section titled “Extension Categories”| Extension | Mechanism | Impact |
|---|---|---|
| uBlock Origin | Filter list matching (EasyList, EasyPrivacy, custom lists) | Blocks script loads, network requests, and DOM elements matching known tracking patterns |
| AdBlock Plus | Filter list matching (EasyList, Acceptable Ads list) | Blocks ad and tracker scripts; allows “acceptable ads” by default |
| Privacy Badger | Heuristic learning (no blocklist) | Learns which domains track across sites and progressively blocks them |
| Ghostery | Combined blocklist + anti-tracking | Blocks trackers, provides tracker transparency reports |
Filter Lists
Section titled “Filter Lists”The two most relevant filter lists:
- EasyList: blocks advertising-related resources (ad scripts, ad server domains, ad-related XHR requests)
- EasyPrivacy: blocks analytics and tracking resources (analytics endpoints, tracking pixels, fingerprinting scripts)
These lists match URL patterns. Any request URL matching a filter rule is blocked before it reaches the network. Common blocked domains include google-analytics.com, googletagmanager.com, connect.facebook.net, analytics.tiktok.com, snap.licdn.com.
Why Native Integration Avoids Extension Blocking
Section titled “Why Native Integration Avoids Extension Blocking”External analytics scripts are on filter lists. Your own domain’s application code is not.
https://www.googletagmanager.com/gtag/js?id=GT-XXXXX— on EasyList, blockedhttps://analytics.google.com/g/collect— on EasyPrivacy, blockedhttps://connect.facebook.net/en_US/fbevents.js— on EasyList, blockedhttps://yourdomain.com/api/collect— not on any list, loads normally
A first-party endpoint on your own domain, receiving data from your own application code, is indistinguishable from any other API call your application makes. It is not on any filter list. It will not be blocked by any ad blocker operating on standard filter lists.
Cookie Name Targeting
Section titled “Cookie Name Targeting”Aggressive blockers and privacy extensions may target cookies by name. Cookie names containing patterns like _ga, _gid, _fbp, _fbc, _gcl, track, analytics, or pixel may be deleted or blocked by extensions. Use neutral, application-specific cookie names for UIAF identity and attribution storage.
Browser Market Context
Section titled “Browser Market Context”Extension impact varies by browser:
- Chrome: Manifest V3 (January 2025) limits declarativeNetRequest to 330,000 static rules and 30,000 dynamic rules. uBlock Origin Lite (MV3-compatible) has reduced filtering capability compared to uBlock Origin (MV2).
- Firefox: continues to support Manifest V2. uBlock Origin retains full filtering capability.
- Safari: uses its own extension API (Web Extensions). Limited ad blocker functionality compared to Firefox.
- Brave: has built-in ad blocking; extensions add additional layers.
📊 Cookie Lifetime Comparison
Section titled “📊 Cookie Lifetime Comparison”📋 Version Reference
Section titled “📋 Version Reference”| Browser | Version | Date | Relevant change |
|---|---|---|---|
| Safari 16.4 | 16.4 | March 2023 | IP address matching for CNAME cookies |
| Safari 26 | 26 | September 2025 | Advanced Fingerprinting Protection on by default |
| Chrome 104 | 104 | August 2022 | 400-day cookie cap enforced |
| Chrome (Privacy Sandbox) | — | October 2025 | Topics, PAAPI, Attribution Reporting retired |
| Firefox 86 | 86 | February 2021 | Total Cookie Protection introduced |
| Firefox (TCP default) | — | June 2022 | TCP enabled for all users by default |
| Firefox 133 | 133 | November 2024 | Bounce Tracking Protection in Strict mode |
| Brave (adblock rewrite) | — | January 2026 | Rust-based adblock engine rewrite |
| Edge (Balanced default) | — | Launch | Balanced tracking prevention on by default |
| Chrome MV3 | — | January 2025 | Manifest V3 enforced, MV2 extensions disabled |
📊 Browser Market Share (Early 2026)
Section titled “📊 Browser Market Share (Early 2026)”| Browser | Global Desktop | Global Mobile | Notable Segments |
|---|---|---|---|
| Chrome | ~65% | ~63% | Dominant across all segments |
| Safari | ~15% global | ~27% mobile | ~31% US. All iOS users (Safari is the only full browser engine on iOS outside EU DMA markets) |
| Edge | ~5% | <1% | Enterprise-heavy |
| Firefox | ~3% | <1% | Privacy-conscious users, developers |
| Brave | ~1% | <1% | Over-indexes in privacy-conscious, tech-savvy demographics |
Safari’s constraints disproportionately impact analytics: all iPhone and iPad users outside the EU use Safari’s WebKit engine exclusively, regardless of which browser app they install.