Start of the issue
On Jan 31st, users reported that, similar to an occurrence in 2022, CloudFlare's captcha/"i'm under attack" mode had started failing and looping instead of passing and letting browser users through. It soon became clear that this time, any UXP browser wasn't the only being denied access to the sites being "protected" by CloudFlare. Even Firefox ESR 115 was affected.
The community was quick to respond, opening a CloudFlare community thread explaining the problem (which is the only communications channel available to end users, see below) and reporting the issue.
Assuming Mozilla applied corporate pressure for Firefox ESR, CloudFlare changed its captcha scripting soon after which, in turn, exposed a crash issue in UXP by triggering a situation that was not initially accounted for in JavaScript and would not normally occur. Despite the crashes, CloudFlare did not respond to reports about it, effectively causing DoS for all UXP browser users. The crash was solved with an accelerated release of Pale Moon 33.6.0.
Shortly after this, CloudFlare made another change which, this time, caused a different kind of denial of service by triggering script hang/out-of-memory issues through what seems to be deliberate behaviour when the script does not pass a collection of Web API checks (since the same behaviour was observed on their "officially supported browsers" as well if the user-agent was spoofed to Pale Moon!). The worst symptoms were mitigated with an out-of-band release of Pale moon 33.6.0.1, which still suffers from the script hang but can recover after the script termination watchdog kicks in.
Limited communication channels available and being ghosted
CloudFlare has extremely limited communication channels available. End users can only post in the self-help "community", webmasters/clients can only get direct communication with CloudFlare by being on one of the higher tier CloudFlare subscriptions, and third party software vendors (like myself) have no direct channel of communication with CloudFlare at all, despite being directly affected by their hold on many of the Internet's services/availability.
Even more so, attempting to contect them through what channels are available resulted in me being ghosted. A request for contact and opening a dialogue for the on-going issues was opened on Feb 13th 2025, nearly 2 weeks ago, with so far 0 response.
Statusnotifications@cloudflare.com wrote:Your request (01388216) has been submitted, and we will be contacting you soon.
Our current status is and remains that any and all websites that are behind a CloudFlare captcha or having activated their "I'm under attack" mode/turnstile pages, are unreachable from Pale Moon and other browsers. The issue in 2022 lasted approximately 2 weeks. This time we're left dead i the water for nearly a month as of the time of writing, with no view on any of this being resolved, no information from CloudFlare, no official statements (other than their short list of commercial browsers listed on their site that they "support"), and a clear and present discrimination against independent, Open Source projects like ours.
Consequentially, our project is currently losing daily active users, and we're being damaged with our traffic-based income being undermined as a result. The longer this lasts, the greater the damage is. Unfortunately my options are limited.
There are grounds for legal action as a last resort, but international anti-trust litigation is difficult and will likely take the better part of a decade to be resolved if I go by the US legal system.