Cloudflare inundates website with tracking pixels

I am seeing a problem where Cloudflare inundates my website with tracking pixels. How do I stop this?

My website makes calls of a certain URL format, which are used to communicate with my app. These calls do not need to reach the server so I am using Cloudflare to block them (firewall). That’s fine. However, every time a call is blocked, Cloudflare fills the webpage with tracking pixels. That’s not OK, obviously, as it makes my website look really spammy.

I made a simple test to show that this is caused by Cloudflare’s blocking calls:

  • I made a firewall rule blocking any request with /blocked_by_cloudflare/
  • I made a two versions of a very basic webpage, one that makes a call to the blocked URL (in an iframe) and one that doesn’t. They only differ in the one line.
<!DOCTYPE html>
<html>
<head>
      <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
</head>
<body>
    <iframe style = "display:none" src = "{{domain}}/blocked_by_cloudflare/"></iframe>
    <div>
        hello there 
    </div>
</body>
</html>

The version without the blocked call makes no extra requests. The other one makes about 20 requests.

This is the format of some of them:

https://fastly.jsdelivr.net/gh/jimaek/[email protected]/r20.gif?r=21911862
https://vdms-ssl.cedexis-test.com/img/16999/r20-100KB.png?r=6985092
https://stackpath-map3.cedexis-test.com/img/r20.gif?r=92343292

I also tried calling just /blocked_by_cloudflare/ directly in my browser. That one also makes the requests for tracking pixels.

Screenshot from page making iframe blocked request:

Screenshot from direct browser request:

I know @michael replied to this earlier, but you deleted your post which trashed his reply as well.

I accidentally deleted the previous question. @michael answered, “That is Cedexis Radar, which you must have added to your website,” but that is not the case. This question includes the test showing that the tracking is only there when a call is made to the cloudflare-blocked URL.

Those requests are part of Cedexis Radar, a CDN measurement tool. I have not seen it in relation to Cloudflare previously. Can you share the URL and somebody will take a look?

I just created a firewall rule to try and replicate, and the firewall error page is a nearly empty file of type text/plain, so any embedded JS will not execute, and the Radar tag is a JS tag.

Sent link in private chat. I also noticed that I get the tracking in Chrome and Edge, but not in Firefox. I disabled all extensions in Edge before trying.

I don’t see them because the tests do not fire in certain Browsers, and the 403 is different when requested by cURL!

You are correct, the error pages contain a customised version of Cedexis loaded by https://api.radar.cloudflare.com/beacon.js.

Are you seeing the images display in your app? While some are pixels, several are much larger, but none should be visible.

The images don’t appear on the page, but the requests show if someone looks in DevTools, and makes the site look spammy. The blocked calls are for communicating between the app webview and native code, but also get called on the regular website. There are other ways of communicating and I suppose I will need to switch, but it would be nice if a call to a blocked Cloudflare call didn’t result in all these extra calls.

A URL that returns a 204 response code would be very efficient. Just use a transform rule to strip all query parameters and set a long cache-control max-age.

I opened a ticket last night, and will update here when I get a response. As it’s the weekend it may be a few days. 2253299

2 Likes

We’re not adding tracking pixels. As part of the Internet measurement project detailed in this blog post (https://blog.cloudflare.com/benchmarking-edge-network-performance/) we are using those URLs to measure the performance of networks around the world to a variety of CDNs. We are doing that exclusively from Cloudflare error pages and using the performance information to optimize our network performance. Once again this is not for tracking.

6 Likes

Thanks for your response. It would be nice if there was a way for me to choose that my website shouldn’t include these extra URLs.