From a5c7011b37854a9a4ee50ffd9ed1bb5a29aa4943 Mon Sep 17 00:00:00 2001
From: Miguel de Moura <me@migueldemoura.com>
Date: Mon, 10 May 2021 12:07:27 +0100
Subject: [PATCH] Remove Cloudflare __cfduid cookie exception

This cookie is no longer set for any requests proxied via Cloudflare and
thus the exception that was added for it can be removed.

Further context from Cloudflare's blog:
https://blog.cloudflare.com/deprecating-cfduid-cookie/
---
 httpobs/scanner/analyzer/headers.py     |  8 ++------
 httpobs/tests/unittests/test_headers.py | 20 --------------------
 2 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/httpobs/scanner/analyzer/headers.py b/httpobs/scanner/analyzer/headers.py
index db64734c..8a1ab416 100644
--- a/httpobs/scanner/analyzer/headers.py
+++ b/httpobs/scanner/analyzer/headers.py
@@ -4,13 +4,9 @@
 from httpobs.scanner.analyzer.utils import is_hpkp_preloaded, is_hsts_preloaded, only_if_worse
 
 
-# Ignore the CloudFlare __cfduid tracking cookies. They *are* actually bad, but it is out of a site's
-# control.  See https://github.com/mozilla/http-observatory/issues/121 for additional details. Hopefully
-# this will eventually be fixed on CloudFlare's end.
-
-# Also ignore the Heroku sticky session cookie, see:
+# Ignore the Heroku sticky session cookie, see:
 # https://github.com/mozilla/http-observatory/issues/282
-COOKIES_TO_DELETE = ['__cfduid', 'heroku-session-affinity']
+COOKIES_TO_DELETE = ['heroku-session-affinity']
 
 # CSP settings
 SHORTEST_DIRECTIVE = 'img-src'
diff --git a/httpobs/tests/unittests/test_headers.py b/httpobs/tests/unittests/test_headers.py
index fd52ac8f..56dcee35 100644
--- a/httpobs/tests/unittests/test_headers.py
+++ b/httpobs/tests/unittests/test_headers.py
@@ -354,26 +354,6 @@ def test_secure_with_httponly_sessions(self):
                         value='bar')
         self.reqs['session'].cookies.set_cookie(cookie)
 
-        # See: https://github.com/mozilla/http-observatory/issues/121 for the __cfduid insanity
-        cookie = Cookie(name='__cfduid',
-                        comment=None,
-                        comment_url=None,
-                        discard=False,
-                        domain='mozilla.com',
-                        domain_initial_dot=False,
-                        domain_specified='mozilla.com',
-                        expires=None,
-                        path='/',
-                        path_specified='/',
-                        port=443,
-                        port_specified=443,
-                        rest={},
-                        rfc2109=False,
-                        secure=False,
-                        version=1,
-                        value='bar')
-        self.reqs['session'].cookies.set_cookie(cookie)
-
         # See: https://github.com/mozilla/http-observatory/issues/282 for the heroku-session-affinity insanity
         cookie = Cookie(name='heroku-session-affinity',
                         comment=None,