What does "Cookies used by frames from X" mean in Chrome Dev Tools?

Question

In Chrome Dev Tools > Application under Cookies I see a list of URLs. When I hover over each one, Chrome shows the message "Cookies used by frames from X".

At first, I assumed that frames meant "iframe", i.e. if an iframe was used on this webpage from source X, then any cookie set by visiting that (iframe view of the) site would show up in the dev tools for your inspection. However, I checked to see if there was always a corresponding iframe for each source, and that is not the case.

So my questions in summary are:

1. what does "frame" mean in this context?

2. Why are these cookies almost always empty? For example, I'm looking right now at "Cookies used by frames from https://www.facebook.com", and it's empty.

Answer 1

As mentioned in Chrome DevTools documentation:

When you expand the Cookies category, it displays a list of domains of the main document and those of all loaded frames. Selecting one of these "frame groups" displays all cookies, for all resources, for all frames in that group. There are two consequences of this grouping to be aware of:

• Cookies from different domains may appear in the same frame group.
• The same cookie may appear in several frame groups.

Here is a more explicit explanation from Mozilla Storage Inspector documentation (although it isn't Chrome, the concept is similar):

Cookies — All the cookies created by the page or any iframes inside of the page. Cookies created as a part of response of network calls are also listed, but only for calls that happened while the tool is open.

So, basically, you will see the main document's domain and all its iframes.

About the "empty" frames with no corresponding frame

It is interesting. It is related to the Preload pages for faster browsing and searching example or Page Prefetch or prerendering feature that Chrome has.

This feature is under Chrome settings > Privacy and Security > Cookies and site data.

What this feature does is prefetch links on the page that you are probably gonna click. This allows the page to load a bit faster when accessing it.

If you dig in their docs you will find this:

Prerendered requests will use a ChromeURLRequestContext which has a new CookieStore interface, but is otherwise the same as the current profile’s ChromeURLRequestContext. If the PrerenderContents are discarded without being used, the changes made to the CookieStore interface go away. Otherwise, the deltas will be committed to the main CookieStore for the profile. If there is a merge problem, the prerendered page is discarded and a fresh request is issued.

This means that for the prerendered requests using a different CookieStore - this is the reason that it's empty on your main profile DevTools. It stores the cookies in a different store and merges them to the main store after you actually click on the link.