Cloudflare Verification Loop issues

[digitalaudiorock]

There's a new topic in the Cloudflare Community. My opinion is that we should refrain from commenting there (to avoid getting flagged again...), leaving it as "clean" as possible and see what happens - if anything happens.

But perhaps it's an opportunity for the Pale Moon developer(s) to voice their opinion there.

(Caution: link below may crash Pale Moon - temporary fix available here)

Disappointed in handling of less-popular browsers

So far it doesn't look like that's going to go too well. Notably there's no response from Cloudflare. Also, the replies are leaning towards "it's up to site owners to configure this". So does Cloudflare make it clear to all their customers (especially new ones) that "if you don't want to block users on non-mainstream browsers"...do whatever? Of course they don't. Even if site owners know this they may not know how to, or may not want to mess with it. The site where I experienced this is like that. The owners actually very nice, but he just doesn't know how to allow Palemoon in without totally disabling the browser check....and he's concerned with doing that. Cloudflare needs to fix this...period.

[tellu-white]

dinosaur wrote :

I tried and understand why their scripts are failing again with Pale Moon, this time (here, I'm using https://janitorai.com/, but any other site with Cloudflare anti-bot measure enabled behaves the same).

https://forum.palemoon.org/viewtopic.php?f=3&t=32045&start=40#p259205

I found a "workaround" in which I get the cookies saved by Firefox after opening https://janitorai.com/
and change the "user agent" in Pale Moon to the one taken from Firefox. To accomplish these steps I made (only for testing) an add-on for Firefox to save cookies to a file on the Desktop ("cookies.txt") plus 2 "Custom Buttons" in Pale Moon, one to change "user agent" to "janitorai.com" and another to read cookies from the "cookies.txt" file and save them in Pale Moon.

Unfortunately, this "workaround" does not work when a page uses Cloudflare every time it is opened, as is the case for https://tinyurl.com

So far I have only tested the https://janitorai.com/ page.

Screenshots:

01.png

02.png

03.png

04.png

05.png

06.png

07.png

08.png

09.png

[stefan11111]

This one too:
https://greasyfork.org/en/scripts/49506 ... -optimized

i had to reset my ip & del cloudflare cookies & the website in question's cookies too.

@moonchild
Tried using this script.
When trying this script on a website that uses cloudflare, palemoon starts using all memory and segfaults.
With this patch, the high memory usage no longer happens and the is no segfault:

Code: Select all

--- a/platform/js/src/vm/StructuredClone.cpp    2025-02-07 15:39:37.526541163 +0200
+++ b/platform/js/src/vm/StructuredClone.cpp    2025-02-07 15:40:43.042213673 +0200
@@ -1079,6 +1079,9 @@
 bool
 JSStructuredCloneWriter::writeBigInt(uint32_t tag, BigInt* bi)
 {
+    if (!bi) {
+        return false;
+    }
     bool signBit = bi->isNegative();
     size_t length = bi->digitLength();
     // The length must fit in 31 bits to leave room for a sign bit.

Is there really no way to implement what cloudflare needs in palemoon so that threads like this no longer happen?

[Moonchild]

Is there really no way to implement what cloudflare needs in palemoon so that threads like this no longer happen?

No, because it's not under our control what they check for, and they regularly change their checks. On top, we don't know exactly what they check for and they won't publish it because then bot writers can use that information to circumvent the CF check. So it is literally solely in their hands to make sure their checks are complete, accurate and do not block legal users of websites, and it is their responsibility to not cause denial of service for web users through way too strict/untested/biased checks.

Also, please update to 33.6.0 published today - it should stop the crashing.

[stefan11111]

Is there really no way to implement what cloudflare needs in palemoon so that threads like this no longer happen?

No, because it's not under our control what they check for, and they regularly change their checks. On top, we don't know exactly what they check for and they won't publish it because then bot writers can use that information to circumvent the CF check. So it is literally solely in their hands to make sure their checks are complete, accurate and do not block legal users of websites, and it is their responsibility to not cause denial of service for web users through way too strict/untested/biased checks.

Also, please update to 33.6.0 published today - it should stop the crashing.

According to the console. the reason this doesn't work is 'Error: TypeError: k[l] is undefined'.
Here's a prettified version of the obfuscated cloudflare js: https://0x0.st/8Pea.js
k[l] appears in 2 places.
Can you, or someone else determine why this fails?
I don't know js, so I can't help with that.

[Moonchild]

Can you, or someone else determine why this fails?

No, it's completely obfuscated (on purpose) through multiple abstraction layers. k[l] is apparently supposed to be a previously-defined function, and that's all I can gather. meaning it can be any function they check for from any WebAPI or even custom defined. Good luck trying to reverse-engineer it, It's not something I want to do nor should have to do.

[stefan11111]

Can you, or someone else determine why this fails?

No, it's completely obfuscated (on purpose) through multiple abstraction layers. k[l] is apparently supposed to be a previously-defined function, and that's all I can gather. meaning it can be any function they check for from any WebAPI or even custom defined. Good luck trying to reverse-engineer it, It's not something I want to do nor should have to do.

And there is also no way to somehow patch out that function pointer array call, or whatever it's called in js?

[Moonchild]

... it's remote code! We don't control it.

[KlarkKentThe3rd]

Thanks Cloudflare, for reminding me "a major art website" also uses your services.

[back2themoon]

Unfortunately, this "workaround" does not work when a page uses Cloudflare every time it is opened, as is the case for https://tinyurl.com

I think this Cloudflare verification is usually implemented in websites requiring, or at least offering a login. All my problem websites require a login and back when things worked and I was logged in, I don't remember Cloudflare appearing every time I visited.

You can send me privately that extension if you want so I can verify.

[andyprough]

And there is also no way to somehow patch out that function pointer array call, or whatever it's called in js?

If Pale Moon could patch in a bypass then so could every bot maker, and Cloudflare would be worthless and would be bankrupted.

[Pelican]

somehow patch out that function pointer array call, or whatever it's called in js?

Is this about the "arrow function"... => ?

[stefan11111]

somehow patch out that function pointer array call, or whatever it's called in js?

Is this about the "arrow function"... => ?

In code tags because the forum doesn't display this well:

Code: Select all

I was talking about the k[i], which, as I understand from moonchild's explanation, is the js equivalent of extern void (*k[SIZE])(); k[i](); from C.

[Sessh]

Well, at least this issue seems to be getting some traction. They probably will catch a class action eventually.

Just out of curiosity, is there an estimate of how many Pale Moon users there are?

[Moonchild]

Just out of curiosity, is there an estimate of how many Pale Moon users there are?

A rough guesstimate based on blocklist update requests that are usually not blocked by users and default to one check every 24 hours is at the very least 350,000 active daily users.
(There's a lot wrong with this metric. It's only measured over 1 day, doesn't count less frequent use, doesn't count people having disabled these updates or using local resources for it, etc. It's a minimum, at any rate.)

[suzyne]

at the very least 350,000 active daily users

I find that to be an impressive number, and way, way more than I imagined.

Before now, I didn't have any sort of estimate in mind, but had imagined that I was a member of a notably more select group of users. But I am happy to being wrong with my impressions!

[digitalaudiorock]

The other day I submitted a story on soylentnews.org that just got put up this morning:

https://soylentnews.org/article.pl?sid=25/02/07/044225

So a little more publicity about this one.

[Gemmaugr]

Someone also posted on https://old.reddit.com/r/CloudFlare/com ... n_browser/

The issue is really getting traction in many places, but still no response from CF..

Not only does it affect Pale Moon (& Falkon, SeaMonkey, IceCat, Basilisk), but I've even seen similar CF issues from people using chromium rebuilds like Vivaldi, Opera Air, and Arc. Weirdly not many Firefox rebuilds.

[tellu-white]

@back2themoon

First of all I should mention that today I had to redo the procedure of copying cookies from Firefox to Pale Moon so I don't know how long cookies are valid. Anyway, after I loaded them again in Pale Moon, I was able to browse the "janitorai.com" website without any problems.

EDIT:

Cookies didn't lose their validity because of the "cookie.expires" parameter. I changed the value of this parameter by adding one year to the value given by "janitorai.com". In addition, I also changed the setting "cookie.isSession = true" and made it "cookie.isSession = false" in the only cookie that had this setting ("cookie.name = janitorai"). In this cookie I also added the time corresponding to the "cookie.expires" parameter (one year from now).

***

back2themoon wrote :
You can send me privately that extension if you want so I can verify.

https://forum.palemoon.org/viewtopic.php?f=3&t=32045&start=140#p259441

It's not that simple. As I said in my previous comment, I only made tests, so I didn't make a single add-on for Pale Moon, instead I made an add-on for Firefox, a bookmarklet also for Firefox and 2 "Custom Buttons" for Pale Moon (for which you need the "Custom Buttons 0.0.5.8.9-fixed8" add-on). In addition, in order to run the add-on in Firefox, I had to add 2 more files in "Firefox Portable": config-prefs.js and userChrome.js

The codes in the "userChrome.js" file and in the "Custom Button" named "Get Cookies Saved by Firefox + Set in Pale Moon Cookies Saved by Firefox.js" need to be modified so that they contain the path to the folder (on the Desktop) where the "cookies.txt" file is located - where cookies will be saved. If you are using Linux and not Windows, you need to change the path syntax both in the "userChrome.js" file (for Firefox) and in the "Custom Button" named "Get Cookies Saved by Firefox + Set in Pale Moon Cookies Saved by Firefox.js" (for Pale Moon).

I used an older version of Firefox (the latest 32-bit version available) so I was able to use "Manifest V2" in the add-on. I don't know if the latest version of Firefox doesn't require using "Manifest V3" exclusively, in which case the Firefox add-on needs to be modified.

Screenshots:

01.png

02.png

03.png

04.png

05.png

06.png

Download will be done without displaying the "Save As" window.
The "cookies.txt" file will be rewritten at each Download, without warning.
To get this behavior, I selected "Save files to" instead of "Always ask you where to save files" and created the folder "...\Downloads_Firefox_&_GoogleChrome" which I specified in the "Save files" setting.

Additionally, I chose the "conflictAction: overwrite" option (in add-on's code) so that I can read from "Pale Moon" the content of the "cookies.txt" file. Without the "conflictAction: overwrite" option, Firefox will give a different name to the "cookies.txt" file at each Download, for example: "cookies(1).txt", "cookies(2).txt", ETC.

07.png

08.png

09.png

***

NOTE: I didn't make an add-on, I only did tests because none of the websites I visit every day use Cloudflare, so (for now) I don't need such an add-on.

[flamelord]

Someone also posted on https://old.reddit.com/r/CloudFlare/com ... n_browser/

The issue is really getting traction in many places, but still no response from CF..

Clearly not. That reddit post was immediately voted down by the clown possy shills hired by Cloudflare.
It's useless to make a thread on Cloudflare subreddit. You should call them out on a neutral venue.