CloudFlare discussion thread

[Moonchild]

I have to say from a browser user's point of view this is an extremely confusing take (to put it nicely). From the point of view of a browser user, the browser is working as intended. It is CloudFlare's responsibility to live up to their marketing hype and stop DOS-ing the very real, legitimate, human users of these browsers. It is not the user's nor browser dev's fault you oversold your technical capabilities.

You also have to realize what you're doing is effectively trying to negotiate with browser devs while actively waging a denial-of-service attack against their users. How about you stop the DOS attack first and then come back to the table with negotiations? Show a modicum of empathy?

Very well said.

[andyprough]

In the interest of moving forward we are open to removing CSP checks for PM as long as you can also come forward and commit to a timeline for implementing the relevant APIs? We would then reintroduce those checks once the agreed timeline has expired.

What if the Pale Moon developers say that it will take 12 months, or 18 months? Is there an inherent short-term time limit? Or are you just wanting to put something on a calendar in order to follow-up at a specific date and not let it get forgotten? If that's the case, then it would seem like a far out enough date could potentially be discussed.

We sent the NDAs from our legal software portal.

This sounds legit, actually. American corporations have moved much of their in-house legal and HR functions to cloud AI apps that are controlled by clicking through menu options. I think Moonchild may be used to the European way of doing things, where real people still hold a lot of these jobs and probably write specific documents rather than passing around generic boilerplate language.

Also, Moonchild was probably asked to sign because the corporate legal AI cloud app has no other way to deliver a document than by Docusign. I do not view this NDA review language delivery event as surprising given the current business environment.

[frostknight]

We are looking at setting up an official browser developer program. We are planning to have a draft soon.

I hope you can get cloudflare to stop blocking random web browsers.

It may be difficult to figure out how to do, but chromium based web browsers aren't all that exists as many here wouldprobably would say.

We agree with this sentiment. Is there a way to identify both Pale Moon and Basilisk? That is not, as another user noted, just UA based? If not, we shall go with UA only.

I wonder this myself now that you asked this question. I would think there must be a legit way to not DOS palemoon/basilisk-browser and uxp forks.

[Bilbo47]

How about you stop the DOS attack first and then come back to the table with negotiations? Show a modicum of empathy?

Maybe call it showing a modicum of partnership, or interoperability, or human-centric service goals, or acknowldegement that no entity can legitimately control access to the web like it seems is trying to happen ...

[mstremante]

We want to move forward in good faith and we genuinely want to find an optimal solution. While we don't have one yet, tomorrow we will deploy our exception code for Pale Moon & Basilisk. This includes an exception for all the aforementioned issues, including the CSP checks. Once rolled out we should be able to verify, assuming no bugs, that the challenge gets executed without error (if not we will address that).

If we see or get reports of abusive behaviour matching the exception logic we may need to revert. If that happens we will notify the community in advance.

We do not plan to keep this exception in place indefinitely, quite the opposite. We would like to remove it as soon as possible to keep our generic approach in place.

We are also:

• Going to launch our browser developer program hopefully before end of month. This community will be invited to join along with others we are in contact with. The aim will be to share our requirements and have a better two way communication in place. Of course this is always going to be an ongoing balance between reducing unwanted bot traffic to a minimum VS keeping the false positive rate as low as possible

• With the understanding that development timelines are always hard to forecast (if only they weren't!), and while we do not have better proposals being considered for now, we are going to trust that this community is able to make progress towards implementing some of the missing features. We are happy to revisit progress at the end of June. We will re asses the status then and take it from there

Will update again tomorrow once the exception logic is rolled out.

[BenFenner]

Thank you. 🙏

[Basilisk-Dev]

Will update again tomorrow once the exception logic is rolled out.

Thank you for coming to try to help our projects with this issue. I am still skeptical and will not be surprised whatsoever if this happens again, but I do sincerely appreciate the effort here.

[Pelican]

tomorrow we will deploy our exception code for Pale Moon & Basilisk

Hopefully the exemption will be based on more than just checking for Pale Moon or Basilisk in the user-agent because those using user-agent switcher may not include those keywords at all. Also both of those browsers have many forks, all with very different user-agents.

How do you test CSP?

[Moonchild]

tomorrow we will deploy our exception code for Pale Moon & Basilisk. This includes an exception for all the aforementioned issues, including the CSP checks. Once rolled out we should be able to verify, assuming no bugs, that the challenge gets executed without error (if not we will address that).

Thanks. As indicated I hope other browsers that are affected by your recent changes will receive similar short-term treatment while the intended "browser developer program" is being set up.

With the understanding that development timelines are always hard to forecast (if only they weren't!), and while we do not have better proposals being considered for now, we are going to trust that this community is able to make progress towards implementing some of the missing features. We are happy to revisit progress at the end of June. We will re asses the status then and take it from there

We're tracking the relevant issues in Issue #2693 (UXP) with the various implementation bugs as dependencies Issue #2704 (UXP) Issue #2705 (UXP) and Issue #2707 (UXP) for the specific implementation requests. This is currently marked for implementation no later than 33.8.0 (start of June); I do request that anyone able to help with these issues get involved to make that happen. The sooner, the better, of course

[Basilisk-Dev]

We want to move forward in good faith and we genuinely want to find an optimal solution. While we don't have one yet, tomorrow we will deploy our exception code for Pale Moon & Basilisk. This includes an exception for all the aforementioned issues, including the CSP checks. Once rolled out we should be able to verify, assuming no bugs, that the challenge gets executed without error (if not we will address that).

Did your team test this in Basilisk? The checks are verified working in Pale Moon, but they are still broken in Basilisk. If I configure Basilisk to provide a Pale Moon useragent to challenges.cloudflare.com then I am able to bypass the tests in Basilisk.

To reiterate what was already said earlier in the thread in case it was missed, athough Basilisk does share the rendering engine with Pale Moon, it does not use the same user agent as Pale Moon.

[Moonchild]

It seems a broader (i.e. not just affecting UXP) issue with the challenges is that it apparently hard-relies on WebGL being available which is simply not the case in all environments. Emulated video, remote desktops, and similar, will not have WebGL available and this should not be a hard fail if it cannot be accessed.
I can also see this being an issue with some privacy-focused browsers that block background use of WebGL outright.

Considering the resistance to rolling back changes made, combined with broad impact on many browsers, and now seemingly having to "work backwards" to try and stitch things up that were not a problem before, I have to ask Michael: "What is going on here? Did your team switch to an (off the shelf?) fingerprinting suite expecting the broad array of legitimate web browsers to give it what it expects from a Chromium PoV, or something?" I'd really like to know what exactly landed on Jan 31st and why it suddenly impacted all of us. This doesn't feel like incremental development on bot detection methodology at all, which I assumed was the case, but the more comes to light, the more it looks like some wholesale adoption of a very limited "package deal" that now needs a ton of workarounds. That doesn't look like it's something sustainable long-term for either CloudFlare or us.

[andyprough]

I can also see this being an issue with some privacy-focused browsers that block background use of WebGL outright.

Just checked Mullvad browser, it's getting through Cloudflare verification with webgl disabled. I assume all other Firefox-based browsers must be working with webgl disabled as well.

[Kris_88]

I currently have Pale Moon successfully passing Cloudflare's check.

[Moonchild]

I can also see this being an issue with some privacy-focused browsers that block background use of WebGL outright.

Just checked Mullvad browser, it's getting through Cloudflare verification with webgl disabled. I assume all other Firefox-based browsers must be working with webgl disabled as well.

Well, with WebGL enabled and hardware acceleration not available, it fails. WebGL won't work fully without HWA. I'm guessing a partial fail is worse than the API not being available overall, then?

[Basilisk-Dev]

We want to move forward in good faith and we genuinely want to find an optimal solution. While we don't have one yet, tomorrow we will deploy our exception code for Pale Moon & Basilisk.

If acting in good faith is the goal, then follow-through is essential. That includes verifying whether the fix actually resolves the issue, either by engaging with our community here on the forum or via email. It also means ensuring your developers test the fix in both Pale Moon and Basilisk, especially when the fix is intended to support both browsers.

As it stands, the fix does not work in Basilisk. If you’re releasing a solution targeting multiple browsers, it’s reasonable to expect that you test it across all targeted environments beforehand.

Will update again tomorrow once the exception logic is rolled out.

You did not follow up as promised. This kind of inconsistency reflects poorly on both you and your organization. Clear and timely communication is crucial, especially when you’re asking others to trust in your intentions and efforts.

[back2themoon]

Wasn't there a mailing list? Did that ever work in the end? I mean, it certainly sounds like an email is needed here, too.

[Basilisk-Dev]

Wasn't there a mailing list? Did that ever work in the end? I mean, it certainly sounds like an email is needed here, too.

Yeah I will probably send an email here in a bit as well

[mstremante]

[EDIT: thank you for amending the wording]

I did not reply as we are still investigating why there are some issues with Basilisk over http (https seems to work fine) and have not been able to find the root cause yet. As others have stated in prior responses, development is not always predictable.

If I reply early without full information, I get aggressive responses. If I reply late we get aggressive responses.

I understand the frustration but I want to state clearly: I welcome constructive positive conversation. I will not engage in aggressive / speculative statements. Every speculation around the sentiment and motivations from Cloudflare and the team expressed here are outright incorrect but I'm not going to spend time explaining that. I do ask, however, that we all please keep this conversation clean.

Back to Basilisk: we haven't figure out why in some cases it's breaking yet. If your fix works though, thank you and we welcome it.

Thank you.

[Basilisk-Dev]

I understand the frustration but I want to state clearly: I welcome constructive positive conversation. I will not engage in aggressive / speculative statements. Every speculation around the sentiment and motivations from Cloudflare and the team expressed here are outright incorrect but I'm not going to spend time explaining that. I do ask, however, that we all please keep this conversation clean.

Back to Basilisk: we haven't figure out why in some cases it's breaking yet. If your fix works though, thank you and we welcome it.

Thank you.

Sounds good, Michael. I want to apologize for the aggressive tone in my previous message before I edited it. I was extremely frustrated when I wrote it.

The frustration in our responses stems from the ongoing challenges our users face with Cloudflare-related issues in our browsers. These incidents have occurred multiple times over the years, and understandably, the community’s patience has worn thin.

That said, we truly appreciate your willingness to engage and offer support. This is the first time someone from Cloudflare has directly acknowledged our situation, and that recognition means a lot to us.

Thank you again.

[mstremante]

All good, this is hard for us too as this whole situation is not our desired outcome.

Could you confirm if you are still experiencing issues with Basilisk at this time? If not, can you please share as many details as you can around what you are observing and on what setup.