cookies API

Use the browser.cookies API to query and modify cookies, and to be notified when they change.

Permissions

The following permissions influence the behavior of the API. Depending on which permissions are requested, additional methods might be available, or certain data may be included in responses.

Hint

Request permissions only when needed. Unnecessary requests may result in rejection during ATN review.

cookies

cookies

Grant access to some or all methods of the cookies API.

Note

The permission cookies is required to use messenger.cookies.*.

Functions

get(details)

– [Added in TB 45]

Retrieves information about a single cookie. If more than one cookie of the same name exists for the given URL, the one with the longest path will be returned. For cookies with the same path length, the cookie with the earliest creation time will be returned.

Note

Provides access to cookies from private browsing mode and container tabs since version 52.

Note

From Thunderbird 133, sorts cookies according to RFC 6265, section 5.4. This means the cookie with the longest matching path is returned; previously, the earliest created cookie was returned.

Parameters

details

details

(object)

Details to identify the cookie being retrieved.

name

name

(string)

The name of the cookie to retrieve.

url

url

(string)

The URL with which the cookie to retrieve is associated. This argument may be a full URL, in which case any data following the URL path (e.g. the query string) is simply ignored. If host permissions for this URL are not specified in the manifest file, the API call will fail.

firstPartyDomain

[firstPartyDomain]

(string, optional)

The first-party domain which the cookie to retrieve is associated. This attribute is required if First-Party Isolation is enabled.

partitionKey

[partitionKey]

(PartitionKey, optional)

The storage partition, if the cookie is part of partitioned storage. By default, only non-partitioned cookies are returned.

storeId

[storeId]

(string, optional)

The ID of the cookie store in which to look for the cookie. By default, the current execution context’s cookie store will be used.

Return type (Promise)

_returns

Contains details about the cookie. This parameter is null if no such cookie was found.

Required permissions

  • cookies

getAll(details)

– [Added in TB 45]

Retrieves all cookies from a single cookie store that match the given information. The cookies returned will be sorted, with those with the longest path first. If multiple cookies have the same path length, those with the earliest creation time will be first.

Note

Before version 52, the ‘tabIds’ list was empty and only cookies from the default cookie store were returned. From version 52 onwards, this has been fixed and the result includes cookies from private browsing mode and container tabs.

Note

From Thunderbird 133, sorts cookies according to RFC 6265, section 5.4. This means the cookie with the longest matching path is returned first: previously, the earliest created cookie was returned first.

Parameters

details

details

(object)

Information to filter the cookies being retrieved.

domain

[domain]

(string, optional)

Restricts the retrieved cookies to those whose domains match or are subdomains of this one.

firstPartyDomain

[firstPartyDomain]

(string, optional)

Restricts the retrieved cookies to those whose first-party domains match this one. This attribute is required if First-Party Isolation is enabled. To not filter by a specific first-party domain, use null or undefined.

name

[name]

(string, optional)

Filters the cookies by name.

partitionKey

[partitionKey]

(PartitionKey, optional)

Selects a specific storage partition to look up cookies. Defaults to null, in which case only non-partitioned cookies are retrieved. If an object iis passed, partitioned cookies are also included, and filtered based on the keys present in the given PartitionKey description. An empty object ({}) returns all cookies (partitioned + unpartitioned), a non-empty object (e.g. {topLevelSite: ‘…’}) only returns cookies whose partition match all given attributes.

path

[path]

(string, optional)

Restricts the retrieved cookies to those whose path exactly matches this string.

secure

[secure]

(boolean, optional)

Filters the cookies by their Secure property.

session

[session]

(boolean, optional)

Filters out session vs. persistent cookies.

storeId

[storeId]

(string, optional)

The cookie store to retrieve cookies from. If omitted, the current execution context’s cookie store will be used.

url

[url]

(string, optional)

Restricts the retrieved cookies to those that would match the given URL.

Return type (Promise)

_returns

array of Cookie

All the existing, unexpired cookies that match the given cookie info.

Required permissions

  • cookies

getAllCookieStores()

– [Added in TB 45]

Lists all existing cookie stores.

Note

Before version 52, only the default cookie store was visible. From version 52 onwards, the cookie stores for private browsing mode and container tabs are also readable.

Return type (Promise)

_returns

array of CookieStore

All the existing cookie stores.

Required permissions

  • cookies

remove(details)

– [Added in TB 45]

Deletes a cookie by name.

Note

Before version 56, this function did not remove cookies from private browsing mode. From version 56 onwards this is fixed.

Note

From Thunderbird 133, sorts cookies according to RFC 6265, section 5.4. This means the cookie with the longest matching path is deleted: previously, the earliest created cookie was deleted.

Parameters

details

details

(object)

Information to identify the cookie to remove.

name

name

(string)

The name of the cookie to remove.

url

url

(string)

The URL associated with the cookie. If host permissions for this URL are not specified in the manifest file, the API call will fail.

firstPartyDomain

[firstPartyDomain]

(string, optional)

The first-party domain associated with the cookie. This attribute is required if First-Party Isolation is enabled.

partitionKey

[partitionKey]

(PartitionKey, optional)

The storage partition, if the cookie is part of partitioned storage. By default, non-partitioned storage is used.

storeId

[storeId]

(string, optional)

The ID of the cookie store to look in for the cookie. If unspecified, the cookie is looked for by default in the current execution context’s cookie store.

Return type (Promise)

_returns

object

Contains details about the cookie that’s been removed. If removal failed for any reason, this will be “null”, and lastError will be set.

firstPartyDomain

firstPartyDomain

(string)

The first-party domain associated with the cookie that’s been removed.

name

name

(string)

The name of the cookie that’s been removed.

storeId

storeId

(string)

The ID of the cookie store from which the cookie was removed.

url

url

(string)

The URL associated with the cookie that’s been removed.

partitionKey

[partitionKey]

(PartitionKey, optional)

The storage partition, if the cookie is part of partitioned storage. null if not partitioned.

Required permissions

  • cookies

set(details)

– [Added in TB 45]

Sets a cookie with the given cookie data; may overwrite equivalent cookies if they exist.

Note

Before version 56, this function did not modify cookies in private browsing mode. From version 56 onwards this is fixed.

Note

From Thunderbird 133, sorts cookies according to RFC 6265, section 5.4. This means the cookie returned by the promise is the one with the longest matching path: previously, the earliest created cookie was returned.

Parameters

details

details

(object)

Details about the cookie being set.

url

url

(string)

The request-URI to associate with the setting of the cookie. This value can affect the default domain and path values of the created cookie. If host permissions for this URL are not specified in the manifest file, the API call will fail.

domain

[domain]

(string, optional)

The domain of the cookie. If omitted, the cookie becomes a host-only cookie.

expirationDate

[expirationDate]

(number, optional)

The expiration date of the cookie as the number of seconds since the UNIX epoch. If omitted, the cookie becomes a session cookie.

firstPartyDomain

[firstPartyDomain]

(string, optional)

The first-party domain of the cookie. This attribute is required if First-Party Isolation is enabled.

httpOnly

[httpOnly]

(boolean, optional)

Whether the cookie should be marked as HttpOnly. Defaults to false.

name

[name]

(string, optional)

The name of the cookie. Empty by default if omitted.

partitionKey

[partitionKey]

(PartitionKey, optional)

The storage partition, if the cookie is part of partitioned storage. By default, non-partitioned storage is used.

path

[path]

(string, optional)

The path of the cookie. Defaults to the path portion of the url parameter.

sameSite

[sameSite]

(SameSiteStatus, optional)

The cookie’s same-site status.

secure

[secure]

(boolean, optional)

Whether the cookie should be marked as Secure. Defaults to false.

storeId

[storeId]

(string, optional)

The ID of the cookie store in which to set the cookie. By default, the cookie is set in the current execution context’s cookie store.

value

[value]

(string, optional)

The value of the cookie. Empty by default if omitted.

Return type (Promise)

_returns

Contains details about the cookie that’s been set. If setting failed for any reason, this will be “null”, and lastError will be set.

Required permissions

  • cookies

Events

onChanged

– [Added in TB 45]

Fired when a cookie is set or removed. As a special case, note that updating a cookie’s properties is implemented as a two step process: the cookie to be updated is first removed entirely, generating a notification with “cause” of “overwrite” . Afterwards, a new cookie is written with the updated values, generating a second notification with “cause” “explicit”.

Parameters for onChanged.addListener(listener)

listener(changeInfo)

listener(changeInfo)

A function that will be called when this event occurs.

Parameters passed to the listener function

changeInfo

changeInfo

(object)

cause

The underlying reason behind the cookie’s change.

cookie

cookie

(Cookie)

Information about the cookie that was set or removed.

removed

removed

(boolean)

True if a cookie was removed.

Required permissions

  • cookies

Types

Represents information about an HTTP cookie.

object

domain

domain

(string)

The domain of the cookie (e.g. “www.google.com”, “example.com”).

firstPartyDomain

firstPartyDomain

(string)

– [Added in TB 59]

The first-party domain of the cookie.

hostOnly

hostOnly

(boolean)

True if the cookie is a host-only cookie (i.e. a request’s host must exactly match the domain of the cookie).

httpOnly

httpOnly

(boolean)

True if the cookie is marked as HttpOnly (i.e. the cookie is inaccessible to client-side scripts).

name

name

(string)

The name of the cookie.

path

path

(string)

The path of the cookie.

sameSite

sameSite

– [Added in TB 63]

The cookie’s same-site status (i.e. whether the cookie is sent with cross-site requests).

secure

secure

(boolean)

True if the cookie is marked as Secure (i.e. its scope is limited to secure channels, typically HTTPS).

session

session

(boolean)

True if the cookie is a session cookie, as opposed to a persistent cookie with an expiration date.

storeId

storeId

(string)

The ID of the cookie store containing this cookie, as provided in getAllCookieStores().

value

value

(string)

The value of the cookie.

expirationDate

[expirationDate]

(number, optional)

The expiration date of the cookie as the number of seconds since the UNIX epoch. Not provided for session cookies.

partitionKey

[partitionKey]

(PartitionKey, optional)

– [Added in TB 94]

The cookie’s storage partition, if any. null if not partitioned.

CookieStore

– [Added in TB 45]

Represents a cookie store in the browser. An incognito mode window, for instance, uses a separate cookie store from a non-incognito window.

object

id

id

(string)

The unique identifier for the cookie store.

incognito

incognito

(boolean)

– [Added in TB 52]

Indicates if this is an incognito cookie store

tabIds

tabIds

(array of integer)

– [Added in TB 52]

Identifiers of all the browser tabs that share this cookie store.

OnChangedCause

– [Added in TB 45]

The underlying reason behind the cookie’s change. If a cookie was inserted, or removed via an explicit call to remove(details), “cause” will be “explicit”. If a cookie was automatically removed due to expiry, “cause” will be “expired”. If a cookie was removed due to being overwritten with an already-expired expiration date, “cause” will be set to “expired_overwrite”. If a cookie was automatically removed due to garbage collection, “cause” will be “evicted”. If a cookie was automatically removed due to a “set” call that overwrote it, “cause” will be “overwrite”. Plan your response accordingly.

string

Supported values:

evicted

evicted

expired

expired

expired_overwrite

expired_overwrite

explicit

explicit

overwrite

overwrite

PartitionKey

The description of the storage partition of a cookie. This object may be omitted (null) if a cookie is not partitioned.

object

hasCrossSiteAncestor

[hasCrossSiteAncestor]

(boolean, optional)

Whether or not the cookie is in a third-party context, respecting ancestor chains.

topLevelSite

[topLevelSite]

(string, optional)

The first-party URL of the cookie, if the cookie is in storage partitioned by the top-level site.

SameSiteStatus

A cookie’s ‘SameSite’ state (https://tools.ietf.org/html/draft-west-first-party-cookies). ‘no_restriction’ corresponds to a cookie set without a ‘SameSite’ attribute, ‘lax’ to ‘SameSite=Lax’, and ‘strict’ to ‘SameSite=Strict’.

string

Supported values:

lax

lax

no_restriction

no_restriction

strict

strict

unspecified

unspecified