Papa Jones 2021/09/06 136
The question and answer about this post on Is cloudflare injecting tracking code for PDF requests in browsers via the browser PDF plugin? have a total of 2 answer so far..
No, this does not look like a security or privacy issue.
It seems your PDF viewer is generating an
<embed> element and is adding a non-standard
headers attribute. This attribute seems to contain HTTP response headers, so just anything the server of the PDF file sends back. For example, this contains an ETag for caching, and various security-related headers.
Cloudflare provides various features for its customers that involve HTML and HTTP rewriting. For example, it can absolutely inject links if configured that way (e.g. through a Cloudflare Worker). Cloudflare is in a MITM position and can inject arbitrary code and already track all requests. This is an essential aspect of their services.
report-to header is not used for tracking purposes. It merely provides an optional way for the browser to report problems with the website to the website operator. This can include information about deprecated browser features, Content Security Policy (CSP) violations, or networking problems. See their article Understanding Network Error Logging for an example use case. Since most websites do run a server that can collect and analyze CSP reports, Cloudflare inserts a reporting URL by default. Cloudflare can also use reports about networking and DNS problems to improve stability of their services, thus benefiting their customers.