About CookieCutter

CookieCutter is a testing tool for analyzing how browsers handle third-party cookies and cross-site requests across different request methods.

What does it test?

This tool tests 117+ different ways a website can make cross-site requests, including:

• Navigation - Links, form submissions, redirects, meta refresh
• Fetch/XHR - fetch(), XMLHttpRequest, sendBeacon
• Frames - iframe, frame, object, embed
• Media - img, video, audio, picture
• Scripts - script tags, dynamic imports, modules
• Workers - Service Workers, Shared Workers, Web Workers
• CSS - background-image, @font-face, @import, cursor
• Link elements - preload, prefetch, prerender, stylesheet
• SVG - image, script, use, feImage

What does it measure?

For each request method, CookieCutter captures the complete raw request with all headers as received by the cross-site server. The results table highlights:

• Cookies sent - Which SameSite attributes are included (Default, None, Lax, Strict), along with Secure, __Host-/__Secure- prefixes, and Partitioned (CHIPS) variants
• Sec-Fetch-* - Sec-Fetch metadata
• Authorization - Whether HTTP Basic Auth credentials are sent

Use Cases

• Understanding browser cookie policies and third-party cookie blocking
• Comparing behavior across browsers (Chrome, Firefox, Safari, etc.)
• Analyzing Cookie Access Heuristics and exemptions
• Security research on cross-site request behavior (e.g., for CSRF, XS-Leaks, XSSI, XSS, etc.)

Cross-Site Request Setup

CookieCutter is served from two distinct registrable sites so that requests between them are genuinely cross-site under the (scheme, eTLD+1) boundary used by browsers:

• Primary site: https://cookiecutter.fyi - the top-level page you load in the browser (the initiator).
• Cross-site: https://cookiecutter.site - the third-party target that receives requests and reports back which cookies and headers arrived.

Both domains are served by the same app over HTTPS via Traefik, with subdomains (http., h1., h2., h3.) for testing across HTTP, HTTP/1.1, HTTP/2, and HTTP/3.

How to Use

1. Set Cookies - In the Credentials panel, choose your cookie settings (toggle Secure, Partitioned for CHIPS cookies, Prefix for __Host-/__Secure- names, and pick 1P or 3P (iframe) to set them as first-party or third-party), then press the Set button. Cookies are written on the cross-site domain (https://cookiecutter.site) across every SameSite value so each subsequent request reveals which ones the browser still attaches.
2. Run Tests - Execute all or specific request methods
3. View Results - See which cookies were sent and inspect the full raw request for each method
4. Compare - Add results to the comparison table to compare browsers