How CNAME cloaking mitigation is eliminating Safari´s ITP workarounds.
Since the announcement of ITP 2.2, data-driven marketers and analysts have seen their options shrinking. After localStorage, CNAME cloaking has been a popular solution implemented by many organizations, but with the latest update of ITP 2.3 (CNAME cloaking mitigation), it will be a dead-end again.
On 12 November 2020, Webkit announced a new update of ITP 2.3 that caps the lifetime of cookies set in CNAME-cloaked HTTP responses to 7 days – it is an attempt of CNAME cloaking mitigation. Indeed, Webkit noticed that cross-site trackers have been disguising their cookies as first-party cookies by using domain aliases and so, decided to set an expiry.
How does CNAME cloaking mitigation work?
First, we need to understand the difference between first-party and third-party cookies. Normally, first-party of a website is defined by the domain of the website. Hence, cookies set under that specific website domain are considered first-party cookies. Conversely, cookies set from domains other than that are third party cookies.
Now, what is CNAME cloaking?
CNAME stands for Canonical Name Record and maps one domain to another domain.
CNAME cloaking workarounds consist of configuring a subdomain of the domain. Underneath the web layer, this subdomain resolves to a third-party domain, which can set its own cookies and bypass the tracking prevention as a pseudo first-party. You can read more about the technical details here.
Put differently, a third-party domain is disguised as part of a first-party domain and it can set pseudo first-party cookies. This happens in the server-side as part of the HTTP response.
Consider an example:
A website has domain example.com and sets cookies. These cookies are first-party. Example.com can also set subdomains such as sub.example.com. These will still be considered first-party.
What CNAME does is to ‘link’ the subdomain sub.example.com to a third-party domain such as tracker.com. In this way, tracker.com can set its cookies and disguise them as first-party cookies through the subdomain.
Under the latest enhancement, Safari ITP 2.3 will (1) detect third-party CNAME requests by verifying if the subdomain connects with a third-party domain and (2) limit such cookies to 7 days.
ITP 2.3 will check on the following:
are cookies set with HTTP response headers in a subdomain? -> If so, does this subdomain map to a cross-side origin using CNAME alias?
If both conditions are satisfied, ITP 2.3 will flag a CNAME cloaking.
What does CNAME cloaking mitigation mean for marketers?
The update about CNAME cloaking mitigation represents a hot topic because it shuts down one of the main workarounds to ITP 2.1 and 2.2. Now, many organizations and marketers find themselves back to square one.
- “Which campaigns did the customer see?”
- “How long is the average customer journey?”
- “How many and which touchpoints does the customer journey hold?”
These are some of the questions that will be hard to answer. Indeed, if ‘old users’ do not visit your website again within 1 week, they will be regarded as ‘new users’. This impacts your marketing because it leads to an unrealistic surge in new users reported, difficulty in attributing conversion and retargeting.
Is there any solution to the ITP 2.3 update?
This is a very new update, and the ad/analytics industry is still unsure about how to tackle it. In the past, marketers had several solutions at hand, but Safari was also quick to neutralize them:
- Bounce tracking (ITP 2.0)
- Link decoration (ITP 2.2)
- localStorage (ITP 2.3)
- CNAME cloaking (Latest ITP 2.3)
Given the increasingly aggressive attitude towards tracking cookies from companies like Apple and Google, many professionals in the field are starting to talk about the “death of cookies” or a “cookieless future”. However, this is untrue.
Safari ITP 2.3 solutions still exist.
Cookie Saver offers one of them. It is an easy to set up and reliable solution based on setting first-party cookies as server-set HTTP cookies without resolving to CNAME cloaking.
The latest ITP 2.3 update is included in Safari 14 on macOS Big Sur, Catalina, and Mojave, iOS 14, and iPadOS 14.