[9dl]

>Security implications of CNAME Cloaking

>While this is considered bad practice for a website to set cookies as accessible to all subdomains (i.e., *.website.com), many do this.

>In that case, those cookies are automatically sent to the cloaked third-party tracker.

[stefan_]

So website.com decided to sellout and now the cookies you send to website.com that betrayed your trust are also sent to it's chosen third-party tracker?

That is a distinction without difference. The security implication is storing any data with website.com!

[dgoldstein0]

Yes, but www.website.com cookies won't be sent. But you'll have to crack open devtools to figure out which one each website is doing.

[stefan_]

Yes, the cookies of the website that installed a third-party tracker to spy on you will be sent to the website and the tracker. They could always do that.