Cloudflare injects Javascript, unable to find where to disable

EU user here who did a data privacy audit and saw that Cloudlfare injects the following scripts:

https://cdnjs.cloudflare.com/ajax/libs/gsap/latest/TweenLite.min.js
https://cdnjs.cloudflare.com/ajax/libs/gsap/latest/TimelineMax.min.js
https://cdnjs.cloudflare.com/ajax/libs/gsap/latest/plugins/CSSPlugin.min.js
https://cdnjs.cloudflare.com/ajax/libs/gsap/latest/easing/EasePack.min.js

In the Cloudflare user area, I can’t find any hint on where to disable these. It seems that “gsap” is a framework for web animations … It doesn’t make any sense to me why Cloudflare would want to inject this into a site.

I would be thankful if anyone has an idea on how to switch these off.

Some more info as I can’t edit the original post.

In DNS > Records, all A- and CNAME-entries are “DNS only”
Security > Bots, Bot Fight Mode is disabled
Security > Settings, Security Level is Medium, Browser Integrity Check is enabled,
Speed > Optimization, only enabled options are: HTTP/2, HTTP/3, HTTP/2 Origin, Brotli, TLS 1.3
Scrape Shield, Server-side Excludes is enabled

Hi there,

Cloudflare helps distribute open source JavaScript libraries under our domain cdnjs for the cdnjs project maintainers, you can read about his here - https://cdnjs.cloudflare.com/

However, these libraries are not used in our products that you can disable that I’m aware.

As you have identified, - you may have these libraries installed directly origin site to help build the site, but from the URL looks like maybe they are being used by https://gsap.com/ plugins - is this something that is implemented on your origin?

A way you could confirm is browsing to your origin web server directly - to confirm if the resources are still loading?

If you update your local host file to point your hostname of your website to the IP address of your web server - https://www.howtogeek.com/27350/beginner-geek-how-to-edit-your-hosts-file/ - you can then open your site going directly to your origin server, taking Cloudflare out the equation (without disabling Cloudflare for everyone else on your site) - if you still see the resources being loaded, this is confirmation it is not anything on Cloudflare loading these resources.

Hope this helps.

1 Like

A. The user was incorrect. B. There are are no privacy implications readily apparent in those files. What is the privacy related claim being made?

Those are served from the website’s source code. You’d want to ask your website developer to disable them, though why one would want to based on a misguided privacy complaint isn’t readily apparent

1 Like

Thank you for pointing me away from Cloudflare.
I found the problem.
The scripts are piggybacks of an advertiser platform that is used on the site. I’ll proceed with contacting them.

@cscharff: In the EU, the data privacy law uses the opt-in methodology which means that data of users may only be collected if they consent. Each JS-file on the site needs to be tested and if it’s not needed, removed. This is the case for the scripts in question. Although, currently they might not collect data, they could in the future. It’s like having a guest at your party that you didn’t invite and don’t know how they’ll behave.

Thank you to you both, this thread may be closed.

Which data do these scripts collect?

Anything could collect data in the future.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.