Third party cookies as those cookies that a browser sends to a different website that the one we are visiting. This functionality is used and too often abused for marketing purposes and to track users’ Web navigation. Indeed the latest announcements by browser makers indicate that in one year most browsers will not allow anymore any third party cookie.
But there is a nice little trick to run around this restriction. Suppose one is visiting the company.com website. Cookies for the websites in the company.com domain and any subdomain like shop.company.com are not third party, whereas relatively to the company.com domain, cookies for websites in the tracker.com domain are third party. Now the idea is very simple: what if there is a domain tracker.company.com which points to the tracker.com website? Cookies for tracker.company.com are not third party, so they are allowed. And this can be done quite easily with the appropriate DNS configuration. The principal DNS record is an A (for Address) type record which maps a domain name to an IP address. But very common is also the CNAME (Canonical Name) record which maps a domain name to another domain name (that is an alias), like tracker.company.com mapped to tracker.com. So the browser sees tracker.company.com (first party), but the cookie ends up in tracker.com (third party). As simple as that.
Third party cookies are mostly used for advertisement purposes: in practice in the website one puts some code from the advertisement company which displays advertisements, counts views and tracks viewers. With CNAME-cloaked tracking the owner of the website not only has to install the code for displaying the advertisements, but also to insert in the DNS the CNAME record to the advertisement website.
Third party cookies have not disappeared yet, and the competition on CNAME-cloaked tracking has already started: how can browsers and AD-blocker extensions block these disguised third party cookies? And how can advertisement companies can continue to track users’ Web navigation?
PS. A non technical comment: nothing is really for free in life, free resources on Internet must be payed by someone, and a free website is often payed by advertisements. The important point is to find the right balance between price and hidden costs (including our personal information).