supercookies

share on xlinkedin

the durable trackers that re-identified you AFTER you cleared cookies, and where each one stands in a 2026 browser. evercookie, etag and cache validators, hsts pins, the 2021 favicon-cache exploit, cname cloaking, dom-storage ids: scored live, mitigated, or dead, with what closed it off and when. then a same-origin demo you run in your own browser (nothing leaves it), and the timeline of how third-party cookies died, the side-channels rose to fill the gap, and chrome reversed the deprecation anyway.

evercookie

mitigated in 2026 · confirmed · as of 2026-06-15

cookie monster ↗knowledge base ↗
status
mitigated
mitigated by
see below
since
2020

the mechanic

samy kamkar's 2010 kitchen-sink: write the same id into a dozen stores at once (http + flash LSO + silverlight + localStorage + sessionStorage + IndexedDB + a force-cached PNG read back via canvas + ETag + window.name + HSTS), then respawn it from any survivor when the others are cleared.

mitigated by · when

the death of flash + silverlight killed the durable plugins, and state partitioning (cache, storage, hsts all keyed by top-level site) breaks the cross-site respawn. a same-origin variant still respawns within one site.

landed: 2020

where it stands

the canonical demo of redundant respawning, not one trick. most of its legs are amputated (no flash, partitioned cache/storage), so it no longer follows you across sites; but the core idea (redundancy + respawn) is why clearing one store was never enough, and a single-origin respawn still works.

same-origin supercookie demo

a live demonstration, entirely inside your own browser. plant an 8-bit id into a normal cookie AND into localStorage (a non-cookie store), then hit "clear cookies" and watch the localStorage id survive. that survival is the supercookie effect: clearing your cookies did not clear your id.

privacy: nothing leaves your browser. no network request is made. every byte is your own origin's localStorage, and "wipe everything" deletes it.

localStorage idn/a
cookien/a

the third-party-cookie reversal

the other half of the story. third-party cookies were the easy durable tracker; the platforms announced the death, the durable vectors above filled the gap, browsers closed them, and then chrome reversed the cookie deprecation entirely. the timeline of how we got to a 2026 where 3p cookies live on but the side-channels are mostly closed.

  1. 2013
    safari

    safari ships block-third-party-cookies on by default, years ahead of the field. webkit later formalizes this as intelligent tracking prevention.

  2. 2017-06
    safari

    intelligent tracking prevention (itp) launches: ml-classified trackers have their cookie access purged on a clock. the modern 3p-cookie clampdown begins.

  3. 2019-09
    firefox

    firefox enhanced tracking protection blocks known third-party tracking cookies by default for all users.

  4. 2020-01
    google chrome

    google announces it will phase out third-party cookies in chrome 'within two years'. the privacy sandbox program is framed as the replacement.

  5. 2020-10
    chromium

    chrome 86 partitions the http cache by top-level site, killing cross-site etag and cache-timing tracking. the durable-vector clampdown lands alongside the cookie one.

  6. 2021-06
    firefox

    total cookie protection: every site gets its own cookie jar, and dom storage is partitioned by top-level site. cross-site localStorage / indexeddb tracking is closed.

  7. 2021-06
    google chrome

    google delays the 3p-cookie deadline to late 2023, citing the need to mature privacy sandbox and address regulators (the uk cma takes oversight).

  8. 2022-02
    google chrome

    the topics api replaces the abandoned floc proposal after floc drew privacy and antitrust criticism.

  9. 2023-07
    google chrome

    google delays again, to the second half of 2024. chips (partitioned cookies) and the privacy sandbox apis reach general availability.

  10. 2024-04
    google chrome

    google pushes the deprecation to 2025 amid unresolved cma / ico concerns about privacy sandbox favoring google's own ad stack.

  11. 2024-07
    google chrome

    the reversal: google announces it will NOT deprecate third-party cookies, switching to a one-time user choice prompt instead. the four-year phase-out is abandoned.

  12. 2025-04
    google chrome · speculative

    google confirms it will keep third-party cookies and drop the standalone choice prompt, leaning on existing incognito / privacy controls. 3p cookies persist in chrome into 2026.

go deeper

  • → cookie monster the first-party detection cookies, beside the durable side-channels that re-identify after a clear.
  • → fingerprint knowledge base the storage and cache surfaces each vector abuses, defined: severity, tell status, evasion notes.