What additional information do you get when you click “What’s [sic] this mean?”
phranque
12:02 am on Feb 8, 2018 (gmt 0)
all of those static components (css, js, and images) should be served from the cookie-free subdomain: https://developer.yahoo.com/performance/rules.html#cookie_free
Probably because you've set up cookies on the main domain that are also valid for any subdomains. If you configure a cookie with domain=example.com, it will also be available to *.example.com. So you would either have to change the configuration of those cookies (won't invalidate previously set cookies though), or use a completely separate domain name (e.g. cdn-example.com) instead of a subdomain.
Keep in mind that offloading your static resources to a separate (sub)domain incurs the cost of another DNS lookup, TCP connection and SSL handshake (it looks to be a lot of javascript and css, so your first paint may suffer). Especially if your server supports HTTP/2, the effect of the cookies on the payload of those static resources could actually be lower than that. That's not something a tool like GTmetrix's can tell you.
Also keep in mind that performance guidelines are just suggestions based on a fairly simple analysis of your page. Don't blindly follow them, they could slow you down. Use real user monitoring (RUM), like Site Speed in Analytics, or something like Webpagetest.org to measure results.
It's probably not a WordPress cookie, then. It could be Google Analytics*, but you'll want to be sure, so open the Developer Tools of your web browser and find the request headers of a resource on the "cdn" subdomain in the "Network" tab, then look for the "cookie" header. The values should give you a hint about their origin. There are also several cookie inspector browser add-ons available that you could use instead, if you're not familiar with the Developer Tools. You can also pull those headers from test results at Webpagetest.org.
* Analytics automatically sets its cookie "on the highest level domain it can. For example, if your website address is blog.example.co.uk, analytics.js will set the cookie domain to .example.co.uk." (source [developers.google.com]). You can optionally customize this, but find the culprit first.
