Where does the "_sm_byp" query parameter come from?

If one search for "_sm_byp" in any search engine, quotes included, countless of unrelated URLs are returned, and they all features this query parameter:



I have been unable to trace its origin. Anybody has an idea where it comes from?

 

Maybe this means something? <http://stackoverflow.com/questions/14696073/visitor-using-url-that-doesnt-exist>

 

Actually this is because of this entry that I started trying to figure out what is this parameter. Somebody had answered it was my extension adding this parameter, which of course is nonsense (anybody can verify this, and anyways, my extension was released first last september 2013 and the question dates back february 2013). I asked on HN, and still no specific answer: https://news.ycombinator.com/item?id=7594477, aside that it appears to involve Google.

 

http://curl.haxx.se/mail/archive-2012-07/0031.html

 

So it's creating a third-party cookie for the referring site?

 

You'd have to elaborate on that before I could be sure we're on the same page. FWIW, I found all three messages in that thread helpful in terms of getting a picture, and that picture seemed consistent with https://serverfault.com/questions/417367/how-can-i-make-squid-provide-authentication-credentials-to-zscaler. Wish I had such a setup to play with. I'd like to see a bit more [recent], including what comes out the other side of the proxies. Wouldn't want to be a user though

Colon? In a filename?!

 

@TheWindBringeth

I'm glad that you're getting a picture about "_sm_byp" Me, I'm still confused

Who is adding that tag, do you think? Is it Google? What does it accomplish for them and/or their associates/clients? And what does it do on users' computers?

Thanks

 

Probably http://www.zscaler.com/. Look at these headers: http://code.google.com/p/chromium/issues/attachmentText?id=159168&aid=1591680000000&name=HTTP Header Problem nytimes - 31-10-12 - 1637.txt&token=oBwzT5azgnNOXuP5M8sYZygIzzI:1397878456216

 

@Sadeghi85

Thanks

OK, there's this company Zscaler and their "cloud solutions". But what are they doing that generates so many URLs with these tags?

 

From @TheWindBringeth post #6 serverfault link:

They do some kind of authentication with _sm_au_X in url which then will set a cookie. "_sm_byp" in url, probably bypasses that procedure.

Kind of like Google's mod_pagespeed for Apache and "?Modpagespeed=noscript" bypass in url.

 

In that example I linked to, you can see gateway.zscaler.net adding ?_sm_byp=XXXX to the original URL to form a 307 redirect with Location: http://www.addictinggames.com/?_sm_byp=XXXX. The connection with gateway.zscaler.net was HTTPS and tunneled through the local 10.70.0.10 proxy at the time that redirection response was returned to the curl client.

The curl client then issued a request for http://www.addictinggames.com/?_sm_byp=XXXX which the local proxy processed without redirects. Looks to me as though it passed the request on (with or without the ?_sm_byp=XXXX we can't know) to the intended destination.

Assuming logging was enabled in the local proxy, URLs that were processed in that way would be easily identified and could trigger an alert. The local proxy could, if so configured, easily block URLs processed in that way too.

 

OK, let's see if I get it.

There's a client browser behind a web filter handled by Zscaler. It wants http://www.addictinggames.com/. The web filter decides that the URL is OK, and redirects, with "?_sm_byp=XXXX" added to the URL. Subsequently, said browser can access the modified URL without triggering the web filter.

Is that correct?

Is there a cookie involved? If so, where does it get created? In the client browser, or in the web filter?