Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a CDN that doesn't use cookies #2986

Closed
ghost opened this Issue Feb 13, 2019 · 2 comments

Comments

Projects
None yet
1 participant
@ghost
Copy link

ghost commented Feb 13, 2019

My cookie disclaimer states my site does not use cookies.

#1880 added CloudFlare

Cloudflare plants __cfuid cookie on sites using shields now and all users without a cookie disclaimer are at risk of violating GDPR.

@ghost ghost referenced this issue Feb 13, 2019

Open

Badge request: Cloudflare #2714

guitmz pushed a commit to guitmz/after-dark-green that referenced this issue Feb 13, 2019

Josh Habdas
docs(help/home): remove download badge
shields started planting cookies via cloudflare

badges/shields#2986
@paulmelnikow

This comment has been minimized.

Copy link
Member

paulmelnikow commented Feb 13, 2019

Hi! We take our obligations seriously and do not want to put our developers at risk. Thanks for opening this.

img.shields.io (the badge server) added Cloudflare as an SSL gateway in May 2015 (#459) and that cookie has been part of every request since then. Previously Cloudflare had also sat in front of shields.io (the website), but that is no longer the case (#608 (comment)).

Since #1880 we have configured Cloudflare to provide downstream caching as well. It carries about 40% of the production traffic. (The cookie behavior did not change when that was turned on, only the caching behavior.)

The cfduid cookie is necessary for Cloudflare's security features. It protects Shields servers from DOS attacks. Removing the CDN would likely cause occasional downtime and hinder our ability to serve our users.

My understanding is that GDPR does not require consent for cookies which are strictly necessary for the delivery of a service requested by the user. See this thread on the Cloudflare forum for a bit of response from Cloudflare support. I'm open to getting a professional legal opinion on that.

As Cloudflare provides no way of turning this off, I'm open to exploring alternate technical solutions. It would be helpful to know about other CDN providers, and whether or not they have tracking cookies which can be turned off.

Also, there's a workaround if this is something you can't live with. While Shields is not able to provide a CDN-free endpoint, it's easy to self-host your own Shields server if you want to. The server has some modest anti-abuse detection built in, and it doesn't depend on cookies. The server doesn't set or read any cookies.

@ghost

This comment has been minimized.

Copy link
Author

ghost commented Feb 14, 2019

Thanks for the detailed response. I was afraid you were going to link to that post on their forums. It's very unauthoritative and comments were closed after someone linked to a somewhat authoritative-looking EU doc from 2002. A likely story.

Anyway, those cookies are still personal identifiers despite any grayness thrown around them and because of that CloudFlare has to stay current with https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0 both in the EU and the US.

If you want to trust them with your users' data please by all means. What could possibly go wrong? In my case I'll look for another solution as my scope is fairly limited and—as I mentioned—my website does not use cookies.

I recommend taking a look at https://ec.europa.eu/justice/smedataprotect/index_en.htm. It's fairly clear those collecting data need to state who's collecting, where it's going, how long it will be stored and to get consent before that data is collected. I doubt most using shields are doing that today.

@ghost ghost closed this Feb 14, 2019

guitmz pushed a commit to guitmz/after-dark-green that referenced this issue Mar 12, 2019

Josh Habdas
docs(help/home): remove download badge
shields started planting cookies via cloudflare

badges/shields#2986

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.