0

I recently decided to comply with the YSlow recommendation that static content is hosted on a cookieless domain.

As I already use the root of my domain (donaldjenkins.com) to host my website—on which Google Analytics sets a few cookies—that meant I had to move the CNAME URL for the CDN serving the static files from cdn.donaldjenkins.com to an entirely separate, dedicated domain. I purchased cdn.dj (yes, it's a real Djibouti domain name), hosted the files on the root (which contains nothing else, other than a robots.txt file) and set a CNAME of e.cdn.dj for the CDN. This setup works, but I was rather surprised to find that YSlow was still flagging the static files for not being cookie-free: here's a screenshot:

Static files still not cookie-free

The cdn.djdomain was new, and was never used for anything other than hosting these static files. Running httpfox on the site shows the _utma and _utmz Google Analytics cookies are being set on the static files listed above—despite their being hosted on an entirely separate, dedicated domain.

Here's my Google Analytics code:

//Google Analytics tracking code
var _gaq=[['_setAccount','UA-5245947-5'],['_trackPageview']];
(function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];
g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
s.parentNode.insertBefore(g,s)}(document,'script'));
// [END] Google Analytics tracking code

I'm not obsessing about this issue—I know it's not really affecting server performance—but I'd like to just understand what is causing it not to go away...

Donald Jenkins
  • 153
  • 1
  • 8
  • I know it's been a couple of years, but I see no cookies on e.cdn.dj domain when I load your main site... can you post a follow -up on how you resolved it? or was it a false positive of some sort? – rmalayter Dec 02 '14 at 22:16

1 Answers1

0

I can't really follow you (sorry this should be a short comment, but serverfault won't let me).

I recently decided to comply with the YSlow recommendation that static content is hosted on a cookieless domain

does YSlow recommend to host static content without cookies? because hosting on a cookieless domain does not make sense to me. the cookies usually get set by whatever js scripts you're running in these static content files. so if you now set a CNAME to your static files (with the google analytics code) ga is just gonna load and set cookies from that domain.

jcfrei
  • 175
  • 1
  • 7
  • Thanks for the comment. Yes they do, see the [link](http://developer.yahoo.com/performance/rules.html#cookie_free) I included in my first sentence. The Google Analytics code is set in the main domain. The static files are called in the main site but hosted in the separate static one. If GA can set cookies via a CNAME that defeats the purpose of separating them... – Donald Jenkins Mar 03 '12 at 11:55
  • ah i realize now exactly how your setup works. three things come to my mind... what happens inside the two .js files on your e.cdn.dj domain? and you could use firebug or the likes to see if the response header from your domain still contains the cookies. and lastly, check the expiration/caching properties of your webserver. he might deliver a cached response which still contains the response header with cookies. – jcfrei Mar 03 '12 at 12:01
  • The only .js that sets cookies is GA, I've checked that in httpfox, which also shows that GA is setting a cookie on each of the static files I'm trying to keep separate. I also deliberately changed names and paths, so that the (old) cached versions would no longer be served. Here's a screenshot of the request and response headers for one of the image files: http://i.via.dj/EiOc to show you what I mean. The cookie is being requested despite the file being a new one... – Donald Jenkins Mar 03 '12 at 12:08
  • hm, and I see you're loading the GA code at the very end of your page and it still manages to set cookies on all requests... really can't think of a reason why GA would or should do this (but it apparently does) – jcfrei Mar 03 '12 at 12:15
  • Yeah, I use the [html5boilerplate version](http://html5boilerplate.com/docs/ga-augments/) of the GA code: it's really cool, loads in the end and still works… Oh well, never mind, I just like to understand things. – Donald Jenkins Mar 03 '12 at 12:26