sprayed on camera

Safari CNAME Cloaking Prevention

Safari has released a new Intelligent Tracking Prevention(ITP) feature recently, “CNAME Cloaking Prevention”. This is to extend the behaviour of Safaris treatment of first party and third party cookies.

What is a CNAME?

To first figure out what CNAME cloaking is, we need to understand what a CNAME is:

A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) that maps one domain name (an alias) to another (the canonical name). https://en.wikipedia.org/wiki/CNAME_record

What is CNAME Cloaking?

CNAME Cloaking is essentially any use of using CNAMES. For example, let’s say we wanted to create a site “crazyfrisbees.com”. Our friend Jack offered to let us host crazyfrisbees.com on his webserver “jacksserver.com”. We could work with our Domain Name provider to set up a CNAME to point “crazyfrisbees.com” to “jacksserver.com”.

CNAME cloaking is where CNAMEs are used to make the browser think content comes from crazyfrisbees.com, even though it really is being served from “jacksserver.com”.

Most use cases for CNAME cloaking are valid in the eyes of Safari (like the example above). ITP will not limit the duration of cookies generated by “crazyfrisbees.com” because it sees all requests from “crazyfrisbees.com” being passed from “jacksserver.com”.

Where ITP starts limiting cookie duration is when CNAME cloaking is coming from a third party.

For example:

  1. We have our “crazyfrisbees.com” site set up with a CNAME to jacksserver.com.
  2. Our friend Fred comes along and says: “hey, you can use my tracking server to collect audience signals. We can set up a CNAME so track.crazyfrisbees.com points to fredstrackingserver.com”.
  3. You say “sweet! sounds like a good deal Fred!
  4. When “crazyfrisbees.com” loads, Safari will look at the DNS CNAMEs and say: “ok I know crazyfrisbees.com is really jacksserver.com, thats cool”.
  5. When track.crazyfrisbees.com tries to set a cookie on the client, Safari will say “hold up, track.crazyfrisbees.com is really fredstrackingserver.com? Thats not jacksserver.com, this looks like a third party to me”.
  6. Safari will then treat any cookies set by track.crazyfrisbees.com as a third party cookie.

Further information on CNAME tracking can be found at their blog post