__cf_bm cookie


#1

Hey guys,

We’ve just received a question from a user of the cdnjs service and they’ve noticed a new cookie in our response headers for the cloudflare.com domain __cf_bm. This appears to be one that Cloudflare is setting in the cdn response, does anyone know what it does so that I can give the user a conclusive answer?

Regards,
Matt.
Community Manager @ cdnjs.com


#2

Cc @ryan


#3

Bentley McIlroy compression algorithm?


#4

Why exactly would it need to be set in a cookie?
The user who reported this on cdnjs is very concerned with gdpr compliance of having this cookie.


#5

Not that I could tell what it serves for either but I could reproduce it with https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js for example. It appears to consist of four values separated by dashes

  • SHA1 hash
  • Current time as Unix timestamp
  • Some numeric value (couldnt determine what, could be some sort of value in seconds)
  • A base64 encoded value which appears to contain some binary data

No idea how GDPR relevant that is, if it is just technical values it shouldnt be relevant.

However, assuming you are in some form of partnership with Cloudflare, dont you have a dedicated contact over there, @matthew?

Tagging @cloonan @cscharff


#6

With regards to the GDPR issue, this is only passed on from the user who reported it to us. I too do not exactly understand the relevancy but would like to ensure the user is satisfied.

I have tagged the original CF contact who I believe was originally around much earlier in the history of cdnjs as well as the more recent contact I have established on the reporting Github issue but neither have replied. I may take this up directly in a support ticket but wanted to check with the community first as to not waste support time if the community has the answer.


#7

I’d dare to say the community doesnt really know either :slight_smile: - maybe cloonan or cscharff can shed light, but they are Cloudflare anyhow - so I’d probably go for a support ticket at this point.

If you get an answer it would be great if you could post a follow up here.


#8

Yeah to be honest I will get in touch with support about it. As the reporting user has just highlighted, the cookie isn’t actually even mentioned in the CF cookie policy which is very odd. Will keep this posted updated :slight_smile:


#9

Don’t forget to let us know if you find out.


#10

Absolutely will do :smiley:

#1629398 is the ticket for any staff who see this and wish to involve themselves.


#11

I also made a support ticket (I believe before matthew did) and received this response just now:

Will keep updated.


#12

Yeah I just received an identical response.


#13

Cloudflare have just replied to me with the following: Our engineering team has deployed a fix and removed the __cf_bm cookie from https://cdnjs.cloudflare.com website.

Unfortunately no clarification of what the cookie did at this stage, but at least it has been removed.


#14

I noticed on one of the tickets a reference to bot management. so may be some scaffolding being placed for later.


#15

Hi Matthew,

Thanks for reaching out to us regarding the __cf_bm cookie. This new cookie is part of Cloudflare’s Bot Management service and helps manage incoming traffic that matches criteria associated with bots. It was not intended for use on cdnjs.cloudflare.com and we are in the process of removing it from those pages. Thank you for spotting it!

We are currently in active development and will have many more announcements as the feature matures. Please follow https://blog.cloudflare.com/ and https://twitter.com/cloudflare for all the latest product updates and announcements.

Thanks again for bringing this to our attention, please let us know if you have any further questions.

Best,


closed #16

This topic was automatically closed after 14 days. New replies are no longer allowed.