State Partitioning: How Browsers Quietly Broke Cross-Site Tracking

The death of the third-party cookie got all the press, but it was never the whole problem. Cookies were just the most visible bucket of shared state a tracker could abuse. The deeper, more durable fix browsers shipped is state partitioning: making every form of per-site memory — caches, storage, even network connections — separate for each top-level site you visit. It's the change that actually closed the side doors.

For two decades, the web's privacy model had a structural flaw. When you visited news.example and it embedded a widget from tracker.example, that embedded third party could read and write its own cookies — the same cookies it set when embedded on shopping.example and a thousand other sites. One identifier, readable everywhere it appeared, let it stitch your browsing into a single profile. That's cross-site tracking in one sentence.

Blocking third-party cookies addresses that one bucket. But cookies were never the only place a browser remembers things on a site's behalf, and trackers are creative. The real solution had to be more general.

The Side Doors Cookies Left Open

Even with third-party cookies blocked, a determined tracker had other shared-state channels to abuse:

The HTTP cache. If tracker.example/pixel.png is cached when you visit site A, the timing of whether it loads from cache on site B reveals you've seen the tracker before — a cache-based supercookie.
DOM storage. localStorage, IndexedDB, and the Cache API are all per-origin stores a third-party frame could read across sites.
Connection-level state. HTTP/2 connection reuse, TLS session tickets, and the socket pool itself can carry an identifier or a fingerprintable trace across contexts.
Other identifiers. HSTS pins, favicon caches, and assorted browser bookkeeping have all been demonstrated as covert storage at one time or another.

Plug the cookie hole and a tracker simply moves to the cache. The whole-problem fix is to change the key by which the browser stores all of this.

What Partitioning Actually Does

State partitioning adds the top-level site to the key of every storage and network bucket. Before partitioning, a resource's cache entry or storage was keyed roughly by its own origin. After partitioning, it's keyed by the pair: (the site you're actually visiting, the resource's origin).

Concretely: tracker.example embedded on news.example gets a storage bucket labeled (news.example, tracker.example). The same tracker embedded on shopping.example gets a different bucket: (shopping.example, tracker.example). The two are walled off from each other. The tracker can still remember things about your activity within one site, but it can no longer read the identifier it wrote under a different top-level site. The cross-site link is severed at the storage layer.

The mental model

Before: a third party had one notebook it carried to every site. After: it gets a fresh, separate notebook for each site you visit, and can't peek at the others. Its memory still works within a site; it just can't join the dots across sites.

Who Shipped What

This wasn't one feature but a convergent direction across browser vendors, under different names:

Browser	Approach
Firefox	Total Cookie Protection / dynamic state partitioning — partitions cookies and storage by top-level site, on by default in standard mode.
Safari	Intelligent Tracking Prevention plus cache and storage partitioning — Safari was early to partition the cache and has blocked third-party cookies by default since 2020.
Chrome	Cache partitioning and storage partitioning shipped; CHIPS gives sites an opt-in for legitimately partitioned third-party cookies.
Brave / Tor Browser	Aggressive partitioning ("first-party isolation" in Tor Browser's lineage) plus additional anti-fingerprinting.

The standards work lives in the Privacy CG and related specs, with terms like "storage partitioning" and the network-state-partitioning work that keys connection pools by top-level site. The naming is a mess; the underlying move is the same everywhere.

What It Doesn't Fix

State partitioning is a major win, but it is not the end of tracking, and overstating it would be the kind of marketing we try to avoid. Two big gaps remain.

First, fingerprinting. Partitioning stops trackers from storing an identifier across sites. It does nothing to stop them from recomputing one from your browser's observable characteristics — fonts, canvas rendering, screen metrics, and so on. A stateless fingerprint needs no notebook at all. Browsers fight this separately, with reduced entropy and randomization, and it's a harder, ongoing battle.

Second, identity you hand over yourself. If you log into the same account on two sites, or a data broker links your activity through an email address or phone number you provided, no browser mechanism can unwind that. Partitioning governs what the browser shares automatically; it can't govern what you disclose. See our piece on real-time bidding for how identity leaks through the ad supply chain regardless of cookie state.

Partitioning quietly fixed the structural defect — shared cross-site state — that made passive tracking effortless. It did not abolish tracking. It raised the cost and forced the industry toward fingerprinting and first-party data, which are noisier and easier to regulate.

What It Means For You

The practical upshot: a modern browser in its default configuration is dramatically more private than one from five years ago, and most of that improvement is invisible. You don't toggle anything; the partitioning happens underneath. For most people, the highest-leverage moves are now elsewhere — using a browser with strong defaults (Firefox, Safari, Brave, or Tor Browser depending on your threat model), and being deliberate about the identifiers you volunteer. Our privacy browsers comparison breaks down the trade-offs.

It also means the tracking industry's center of gravity is shifting: away from cookies the browser can wall off, toward fingerprinting the browser must actively resist and toward first-party and server-to-server data flows that never touch your browser's storage at all. The arms race didn't end — it moved.

Where Haven Fits

State partitioning is the browser doing what we believe every system should: minimizing what gets shared by default and refusing to be a convenient conduit for surveillance. Haven applies the same instinct to communication. We don't load third-party trackers, we don't build advertising profiles, and our business model is subscriptions, not your attention — so we have no incentive to know which sites you visited or who you are beyond the account you chose to create. The web is slowly being re-architected so that privacy is the default instead of a setting you have to find. That's the world we're building for, and the standard we hold ourselves to. If this resonated, our overview of the 2026 privacy stack ties these pieces together.