Cookie

Enables extensions to get and set cookies, and be notified when they change.

权限

To use this API, an add-on must specify the "cookies" API permission 在其 manifest.json file, along with host permissions for any sites for which it wishes to access cookies. The add-on may read or write any cookies which could be read or written by a URL matching the host permissions. For example:

http://*.example.com/
http://www.example.com/
*://*.example.com/

Tracking protection

Trackers use third-party cookies, that is, cookies set by a website other than the one you are on, to identify the websites you visit. For example:

You visit a-shopping-site.com , which uses ad-tracker.com to deliver its adverts on the web. ad-tracker.com sets a cookie associated with the ad-tracker.com domain. While you are on a-shopping-site.com , ad-tracker.com receives information about the products you browse.
You now visit a-news-site.com 使用 ad-tracker.com to deliver adverts. ad-tracker.com read its cookie and use the information collected from a-shopping-site.com to decide which adverts to display to you.

Firefox includes features to prevent tracking. These features separate cookies so that trackers cannot make an association between websites visited. So, in the preceding example, ad-tracker.com cannot see the cookie created on a-news-site.com when visiting a-shopping-site.com . The first iteration of this protection was first-party isolation which is now being superseded by dynamic partitioning .

注意： First-party isolation and dynamic partitioning will not be active at the same time. If the user or an extension turns on first-party isolation, it takes precedence over dynamic partitioning. However, when private browsing uses dynamic partitioning, normal browsing may not be partitioning cookies. See Status of partitioning in Firefox , for details.

Storage partitioning

当使用 dynamic partitioning , Firefox partitions the storage accessible to JavaScript APIs by top-level site while providing appropriate access to unpartitioned storage to enable common use cases. This feature is being rolled out progressively. See Status of partitioning in Firefox , for implementation details.

Storage partitions are keyed by the schemeful URL of the top-level website and, when dynamic partitioning is active, the key value is available through the partitionKey.topLevelSite property in the cookies API, for example, partitionKey: {topLevelSite: "http://site"} .

Generally, top-level documents are in unpartitioned storage, while third-party iframes are in partitioned storage. If a partition key cannot be determined, the default (unpartitioned storage) is used. For example, while all HTTP(S) sites can be used as a partition key, moz-extension:- URLs cannot. Therefore, iframes in Firefox's extension documents do not use partitioned storage.

默认情况下， cookies.get() , cookies.getAll() , cookies.set() ，和 cookies.remove() work with cookies in unpartitioned storage. To work with cookies in partitioned storage in these APIs, topLevelSite in partitionKey must be set. The exception is getAll where setting partitionKey without topLevelSite returned cookies in partitioned and unpartitioned storage. cookies.onChanged fires for any cookie that the extension can access, including cookies in partitioned storage. To ensure that the correct cookie is modified, extensions should read the cookie.partitionKey property from the event and pass its value to cookies.set() and cookies.remove() .

First-party isolation

When first-party isolation is on, cookies are qualified by the domain of the original page the user visited (essentially, the domain shown to the user in the URL bar, also known as the "first party domain").

First-party isolation can be enabled by the user by adjusting the browser's configuration and set by extensions using the firstPartyIsolate setting in the privacy API. Note that first-party isolation is enabled by default in Tor Browser .

在 Cookie API, the first party domain is represented using the firstPartyDomain attribute. All cookies set while first-party isolation is on have this attribute set to the domain of the original page. In the preceding example, this is a-shopping-site.com for one cookie and a-news-site.com for the other. When first-party isolation is off, all cookies set by websites have this property set to an empty string.

cookies.get() , cookies.getAll() , cookies.set() and cookies.remove() APIs all accept a firstPartyDomain 选项。

When first-party isolation is on, you must provide this option or the API call will fail and return a rejected promise. For get() , set() ，和 remove() you must pass a string value. For getAll() , you may also pass null here, and this will get all cookies, whether or not they have a non-empty value for firstPartyDomain .

When first-party isolation is off, the firstPartyDomain parameter is optional and defaults to an empty string. A non-empty string can be used to retrieve or modify first-party isolation cookies. Likewise, passing null as firstPartyDomain to getAll() will return all cookies.