cdnjs started serving a new __cf_bm cookie
I've recently noticed that responses from cdnjs now set a new cookie __cf_bm scoped to the cloudflare.com domain with a unique ID. Example:
$ curl -I https://cdnjs.cloudflare.com/ajax/libs/foundation/5.4.0/js/foundation.min.js
HTTP/2 200
date: Sat, 19 Jan 2019 09:38:03 GMT
content-type: application/javascript
last-modified: Thu, 17 May 2018 09:19:17 GMT
etag: W/"5afd4915-17390"
expires: Thu, 09 Jan 2020 09:38:03 GMT
cache-control: public, max-age=30672000
access-control-allow-origin: *
served-in-seconds: 0.003
cf-cache-status: HIT
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __cf_bm=d4d78115f0f7d8792ee8bc81eaa0d9d8ac53c7b6-1547890683-1800-AdG1F7p0NBKZSgidt1ROWNSEkcnyhxoM8+etVron0Qn8bvfEFIE0+rgY2WxZQalhsEiDA9mm/DDhZeZ+mkoyMMQ=; path=/; expires=Sat, 19-Jan-19 10:08:03 GMT; domain=.cloudflare.com; HttpOnly
server: cloudflare
cf-ray: 49b853869f325978-VIE
What is this cookie used for and is there a way to turn it off?
akoeplinger
All 20 comments
@terinjokes / @simon-says?
MattIPv4
on 19 Jan 2019
Just to be clear, this is affecting GDPR compliance so we'd need a way to turn it off or we'll have to move off of cdnjs.
akoeplinger
on 22 Jan 2019
@akoeplinger Hi there,
Having looked into this and spoken to the Cloudflare community, it appears to be a cookie used by Cloudflare to track client support for a compression method on the resources. As this is a Cloudflare set and controlled cookie, I suggest taking this up directly with them should it continue to be an issue for you.
MattIPv4
on 22 Jan 2019
@MattIPv4 thanks, I saw your post in https://community.cloudflare.com/t/cf-bm-cookie/56696.
I don't think I can contact Cloudflare about this since I'm not their customer - cdnjs is 😄
Btw. the cookie isn't listed in their cookie policy (https://www.cloudflare.com/cookie-policy)...
akoeplinger
on 22 Jan 2019
@akoeplinger That is certainly interesting that it isn't listed in their cookie policy. I do agree with what one user said on the CF forum reply in that I don't believe this should be a GDPR issue as the cookie is only technical data relating to the file. I will await further response from CF staff here or on the forum but will follow it up with support directly should I not get a response.
MattIPv4
on 22 Jan 2019
@akoeplinger Just to keep you in the loop, we've just received the first reply via our support ticket as follows: This cookie is related to Bot Management and we've actually escalated this to our engineering teams to review.
I will continue to keep you updated as soon as we are :)
MattIPv4
on 22 Jan 2019
It looks like this was fixed, I no longer see the cookie in the responses 👍
akoeplinger
on 24 Jan 2019
@akoeplinger May I ask how you load resources from cdnjs in a gdpr-compliant way? I couldn't find any description of what data cdnjs collects so I wouldn't know how to inform EU website users about how their data is processed. Does cdnjs store ip addresses, for how long, anything else, like user agent strings, etc.
ErinPo
on 28 Feb 2019
@ErinPo you can check CloudFlare's GDPR page here: https://www.cloudflare.com/gdpr/introduction/
akoeplinger
on 28 Feb 2019
@akoeplinger thanks
PeterDaveHello
on 28 Feb 2019
@akoeplinger I knew this page, but it doesn't have the info. I am talking about just loading resources like popular javascripts from cdnjs, not about pointing my websites' DNS to Cloudflare and paying for their security and DDOS services and the DPA which needs to be signed for that. Do you know of any such info?
ErinPo
on 28 Feb 2019
@ErinPo same thing, cdnjs.cloudflare.com is directly hosted by Cloudflare.
PeterDaveHello
on 28 Feb 2019
@PeterDaveHello I am aware of that, but I am not sure they are collecting the same data when I serve files from their public repository as when I am serving my entire website through their CDN. On the face of it, it seems more likely that there would be differences since these are very different scenarios.
CDNJS itself should have an explanation of legal implications of using the service, but it doesn't.
ErinPo
on 28 Feb 2019
@ErinPo the page applies to all of the services cloudflare offers, otherwise they'd need to make specific statements about individual services.
CDNJS itself should have an explanation of legal implications of using the service, but it doesn't.
Yeah, that wuldn't hurt (though I assume it'd just point to cloudflare).
akoeplinger
on 28 Feb 2019
Ok, fair enough. Let's say I embed some popular script like
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap-grid.css
How would I know if it is only Cloudflare processing IP addresses or whether the makers of Bootstrap also have access to such logs?
ErinPo
on 28 Feb 2019
You'd need to inspect the code, just like with any other dependency that could have malicious stuff in it ;)
akoeplinger
on 28 Feb 2019
Ok, what about the server side? How do I know no one from the bootstrap team would have some sort of management panel provided by Cloudflare which gives them access to logs or the ability to implement their own server-side logging like regular hosting would?
ErinPo
on 28 Feb 2019
That'd be a violation of Cloudflare's policy.
akoeplinger
on 28 Feb 2019
Exactly as @akoeplinger has said @ErinPo, cdnjs is hosted directly on Cloudflare, so all their policies and documentation apply to it like any other part of Cloudflare. Only Cloudflare have access to the logs, not even the cdnjs team.
If you have a specific query, please let me know and I will get in touch with them. :)
MattIPv4
on 28 Feb 2019
Ok, good to know, I will see if any other issues come up as I implement. Thanks-a-lot for all the help already
ErinPo
on 1 Mar 2019
Related issues
reezer
·
19Comments
tananaev
·
16Comments
zackbloom
·
20Comments
ofsahin
·
50Comments
PeterDaveHello
·
64Comments