Flaw to using non-www domain a canonical?
I love the idea of short, clean urls like example.com over www.example.com, and certainly whichever one is used should redirect to the other. However, as I have researched the matter over time, I've come to the conclusion that using the non-www url as the canonical url is a liability if it ever comes time to host static content on a separate domain without increasing the transfer size with cookies.
Non-www domain shares it's cookies with all subdomains
In other words, if http://example.com is your canonical url, then it will very likely include cookies. Due to the way that cookies get set, those cookies will be shared with all subdomains, like users.example.com, dev.example.com, www.example.com, and most importantly, images.example.com or files.example.com.
Thus, if you want to serve static file content from a separate subdomain, you'll end up bundling cookies from the main site with them, and increasing the transfer size of the http request.
In which case to prevent passing cookies with the static content, you'd need to buy a completely separate url (e.g. examplefiles.com).
www domain keeps it's cookies compartmentalized
Conversely, if you set www.example.com as the canonical url, I believe the cookie only applies to that www. site, and not to any other subdomains. In that case, you save yourself the need to buy and maintain a second url to avoid serving cookies with your static content, you just make sure that files.example.com or images.example.com or the like is configured to -not- serve cookies.
Any mitigating factors?
Is this analysis correct? Doesn't this problem make use of a short, non-www url as your canonical url slightly non-future-proof, in this small, but potentially important-down-the-line way? Are there other mitigating factors that I am missing, like a method to ensure that the cookie is only set for the canonical non-www short url?
I don't really see it as a problem, as cookies aren't that big and the server doesn't have to send them back in the response. So while yes, one or more cookies set by example.com will "balloon" the request to static.example.com, static.example.com doesn't have to send it back in the response, so the server's response is completely unaffected.
Further, if you have content that you know to be static (images, CSS, JS, etc.), you should be setting proper cache control headers, especially an Expires header for some appropriate time in the future (e.g. +1 day, +1 week, +50 years, whatever makes sense for how often your static content changes). With this done, those cookies will only be sent one time, and then future need for those files will be handled by the browser's cache.
If you do still feel like this is too much (I can't really see how it could be, honestly), you can possibly mitigate it by using paths. For example, if your web app only needs cookies at example.com/app, set the cookie-path to be /app, and then requests to static.example.com/images/some-awesome-image.jpg won't send that cookie because the path doesn't match.
You can further mitigate it by reducing the number of cookies you use -- for most purposes, one (and only one) cookie storing a single session ID only adds a few bytes (less than 1KB in every implementation I've seen/used), and gives the server ample information to look up everything it needs to know about that client server-side.
Honestly, if you're worried about short-URL domains making your site non-future-proof because of cookies, then I think you have an architectural problem with too many/too big cookies, and you should re-evaluate your strategy from that point of view.
Yep, your analysis is correct. Of course, you can always drop down a hefty $10/year on a separate domain, and use whatever canonical domain name you want to use.