I'm experimenting with more strictly separated browser profiles. Aside from the typical work/personal split for different logins, also a split between "retained" and "ephemeral" storage. Where the retained one is only used for authenticated sessions on trusted websites (only allow cookies from trusted sites), and the ephemeral for everything else (the default "allow all", with a clear-on-exit rule).
I noticed that when saying "Allow" to phabricator, it still reported cookies being blocked. Specifically, these two:
.wmfusercontent.org - Cookies: WMF-Last-Access-Global phab.wmfusercontent.org - Cookies: WMF-Last-Access
I also noticed that our many non-canonical/redirect domains and TLS redirects also receive these cookies, which made the list of stored cookies significantly larger than expected after a day of browsing.
The Strict-Transport-Security header is already limited to HTTPS-only and on canonical domains only (slightly wider than canonical, but at least not all, including foreign host name values). That logic might be re-usable to some extent for this.