Does document.cookie list every cookie?

No. HttpOnly cookies stay server-side from JavaScript’s perspective. Developers only see intentionally script-readable cookies scoped to the effective path and SameSite rules for the current browsing context.

What does a first-party cookie probe prove?

It proves that this origin can set, read, and delete a short-lived Lax cookie—a practical gate for login flows, carts, and instrumentation. It does not prove third-party advertisers can still tag you cross-site.

Why would localStorage fail but cookies work?

Private mode, IT policy, or partitioning can throw SecurityError for storage APIs while still honoring limited cookie jars. Treat each API as an independent gate when debugging broken SPAs.

Is Global Privacy Control legally binding?

GPC conveys an opt-out preference where regulations and case law recognize automated signals. Operational compliance still depends on jurisdictional scope, contracts, and publisher interpretation—not a single boolean in JavaScript.

June 10, 2026 · 7 min read

Cookie & Tracking Status Checker — What Your Browser Exposes (2026)

Understand first-party cookie probes, HttpOnly blind spots, web storage failures, Global Privacy Control, and why sandboxed pages cannot audit every tracker.

A modern “cookie check” is not a vibes-based toggle in Settings—it is a layered stack of synchronous cookies, DOM storage, structured databases, quotas, and outbound privacy signals. Consumers want to know whether tracking is “off,” but engineers need precise answers: Did the browser throw on localStorage.setItem? Does navigator.cookieEnabled disagree with the write probe? Does Global Privacy Control advertise an opt-out?

This article explains what a responsible in-browser diagnostic can show in 2026, what it must not claim, and how to pair our What Is My Cookie / Tracking Status tool with adjacent checks (browser sniffing, UA review, DNS context) when escalations hit support teams.

What can JavaScript legally “see” about cookies?

document.cookie returns a semicolon-delimited list of name=value pairs the current document may read. Immediately absent are HttpOnly flags, Secure cookies on wrong schemes, off-origin cookies, and partitioned third-party cookies residing in separate storage buckets. Safari’s Intelligent Tracking Prevention lineage, Chrome’s third-party cookie deprecation schedule, and Firefox’s Enhanced Tracking Protection all influence which cookies appear after navigation events.

Surface	Observable from script?	Typical failure mode
Same-site `SameSite=Lax` session	Yes (if not HttpOnly)	Blocker extensions, enterprise policy
Authentication refresh token (HttpOnly)	No — by design	XSS blast radius reduction
Embedded payment iframe cookie	Maybe after Storage Access prompts	User gesture + cross-site rules
Advertising tag in third-party iframe	Requires partner frame + policies	Partitioned storage, blocked 3P

How the first-party probe behaves

The diagnostic issues a random token, writes path=/ with SameSite=Lax, verifies document.cookie includes the token, then zeroes Max-Age. If any step fails—common in hardened profiles—the UI flags strict blocking so QA can correlate extension matrices without assuming navigator.cookieEnabled is authoritative.

document.cookie = `${token}=1; path=/; SameSite=Lax; Max-Age=60`;
const ok = document.cookie.split(";").some((pair) => pair.trim().startsWith(`${token}=`));
document.cookie = `${token}=; path=/; SameSite=Lax; Max-Age=0`;

Contrast that with privacy washing: a site that claims “we only use essential cookies” while shipping twenty third-party marketing pixels still fails policy review even if the snippet above passes.

Web storage is not a cookie clone

localStorage and sessionStorage throw when privacy modes restrict persistence, when quota is exceeded, or when storage access is partitioned away for iframes lacking user activation. IndexedDB covers structured offline datasets; Cache API caches service worker assets. Checking boolean availability tells you whether SPA bootstraps can hydrate feature flags client-side—distinct from whether marketing tags load.

navigator.storage.estimate() exposes usage vs quota when permitted, helping debug “PWA suddenly read-only” incidents after OS backup tools fill the profile disk.

Signals beyond storage: DNT and GPC

navigator.doNotTrack remains readable for legacy dashboards but rarely changes ad auction behavior. Global Privacy Control—when navigator.globalPrivacyControl === true—communicates an opt-out posture some frameworks map to regulated sale/share prohibitions. Surfacing both educates compliance stakeholders without pretending either replaces a Consent Management Platform.

Storage Access API checks matter more for embedded flows: document.hasStorageAccess() answers whether the current frame received delegated access—less relevant on a top-level editorial page but critical when reproducing broken Apple Pay or OIDC popups.

Why this is not a CMP or a tracker list

Consent Management Platforms categorize vendors, lawful bases, banner copy, and granular toggles. Our tool never stores IAB Transparency & Consent Framework strings—it only answers infrastructure questions: “Can this browser persist first-party state using standard APIs right now?” Combine with network panels, tag managers, and /dns lookups when you chase cross-site calls.

Operational guidance for support teams

Ask users to run the diagnostic in an incognito window without extensions, then with their corporate profile. Split results isolate policy vs extension conflict. Pair with What Is My Browser and What Is My User Agent before opening tickets against identity providers.

Open What Is My Cookie / Tracking Status for the live table summarizing probe outcome, script-visible cookie counts, storage API health, quota estimates, Storage Access hints, and DNT/GPC visibility—nothing is uploaded beyond normal site analytics described in our Privacy Policy.