CloudFlare discussion thread

[Gemmaugr]

Yup, seeing the same here on the Turnstile thingie (https://browser-compat.turnstile.workers.dev/). Allowed Cloudflare and Tailwind. Tried 3 times. All "Challenge Failed. Error: 600010". Sent a feedback report.

[Sessh]

I just tried romhacking.net again and I passed it first try no problem. Guess they reverted whatever changes they made?

[Moonchild]

Yup, seeing the same here on the Turnstile thingie (https://browser-compat.turnstile.workers.dev/).

This is expected, they did say they would undo the Pale Moon changes on that particular test page, to be able to give them direct feedback on their development of scripts.

What I don't like to see happen is that on live sites, they also seem to be tinkering causing regressions.

[Gemmaugr]

Yup, seeing the same here on the Turnstile thingie (https://browser-compat.turnstile.workers.dev/).

This is expected, they did say they would undo the Pale Moon changes on that particular test page, to be able to give them direct feedback on their development of scripts.

What I don't like to see happen is that on live sites, they also seem to be tinkering causing regressions.

Ah, ok. Did a few tests on known problem sites from the other thread, and it got really varied results.

1 Pass clear:
https://www.portablefreeware.com/

2 Passes/automatic reloads to clear:
https://drunkenslug.com/login
https://www.feabie.com/Account/LogOn

3 Passes to clear:
https://www.fanfiction.net/s/14066221/1/Endor

1 Very long, and 1 short pass to clear:
https://steamdb.info

[Moonchild]

1 Pass clear:
https://www.portablefreeware.com/

2 Passes/automatic reloads to clear:
https://drunkenslug.com/login
https://www.feabie.com/Account/LogOn

3 Passes to clear:
https://www.fanfiction.net/s/14066221/1/Endor

1 Very long, and 1 short pass to clear:
https://steamdb.info

Yeah this is really not the way to go about this.

We’re in the process of finalizing the format for a new Browser Developer Program.

The whole point of setting up the browser developer program collaboration is so the kind of crapshoot behaviour seen above doesn't happen on live sites...
Michael, can you please weigh in on what is going on and reign in the live-service-betatesting like behaviour we're seeing now?

[CodeLurker]

My $0.02: At first, it seems that detecting the UA string should be good enough. I started reading some of this thread, and thought that you don't want to key off the UA, because there are handy UA spoofers, like UA Control (my fave, in CAA). A lot of PM users wind up using it to try to get sites to serve something better than what they've been serving up to PM users (e.g. "Please upgrade to Chrome/FF/Edge/Safari"). I can say that identifying as FF fixes most broken sites. So what, if they have a spoofer on? I myself default to the real PM User Agent; and just define something else when forced to. If somebody has a different UA defined and the page breaks, it shouldn't take them long to suspect that they need to identify as the right type of browser.

Then again, if CF is trying to support PM (which makes me rather optimistic, actually), then you have the problem of what if a user is trying load a site that is high-handed, and maintains that only 3-4 browsers are allowed to exist in the world? Then he/she is forced to spoof the UA. Consequently that would break PM on any CF site; because there's no better way to detect it.

That then suggests the idea that PM might have a secret back-door. No NDAs, no giving data on tons of API functions. Just a secret function that only CF knows about: a special case, because they in the past have so consistently been breaking SO MANY sites (and making TorBrowser nearly unusable). I'd hope PM could be open-source one day, but I think one or more devs are against it. A secret back-door would prevent being open-source; and making a very small part closed-source would make that part a target.

Maybe the best thing would be to always give its true UA string when getting JS from CF servers, and hard-code that in; but in all other instances (save those actually needing to know if they can do something to support PM), allow UA spoofing. It might aid fingerprinting, tho. It might be an option, to allow giving the true UA string to loads from CF or not - depending on their immediate privacy needs. Maybe a site-based thing in an extension. I know it might be somewhat hard to sell to CF management, but it would give them the true detection they want, without getting into weird corporate secrets stuff. If CF ppl are reaching out, my thought is not to make it hard for them, and take up their time unnecessarily. If they are trying to reform, and be more of a big-tent organization, it seems a good idea to me to encourage that.

[frostknight]

No, it's a regression from what was in place. It means CF is tinkering with it again and causing issues.

I suppose, but I am at least glad they are showing some attempt to try to fix this. I was surprised they were willing to work with you at all.

I thought they were on google's side.

It shouldn't take multiple tries and/or refreshes to pass a captcha like this!

Agreed

The problem is not what you personally do. It is what everyone else does

This does make sense to say, because your concerns are that of the average user. Mine are of mine.

So I see what you mean.

[frostknight]

I'd hope PM could be open-source one day,

Palemoon is open source, with the exception of the branding/trademarks which are proprietary.

To be honest, as much as I detest proprietary, I have almost no problem if its just theming that is proprietary as long as it is easy to remove and is doing nothing shady.

[back2themoon]

Didn't they say they are still ironing things out? I wouldn't take some random, brief breakage as the end of the world but rather a sign that they are indeed working on it.

[Gemmaugr]

Didn't they say they are still ironing things out? I wouldn't take some random, brief breakage as the end of the world but rather a sign that they are indeed working on it.

Looking at it positively, it could well be that.
Although one would think that they'd get more and better feedback if they came here and said that they'd tinker with it, and urge us to try a site of their choosing, and then report back on the attempts. Some measure of back and forth testing at least. Because the turnstile test site they gave us doesn't work at all, and the rest of the sites we've found in the wild have so incredibly varied results now that it doesn't seem to pertain to any sort of logical test at all, but chaos (breakage).

[Moonchild]

Didn't they say they are still ironing things out? I wouldn't take some random, brief breakage as the end of the world but rather a sign that they are indeed working on it.

Possible, but the whole point of organising this and getting this "browser developer program" we're still waiting for was so this kind of breakage isn't necessary, but some people obviously can't leave it be until things are set up. We need communication, not one-sided live experimentation that impacts all of our users.

[andyprough]

so this kind of breakage isn't necessary, but some people obviously can't leave it be until things are set up

The same kind of turnstile failing before passing is what I typically get from cloudflare with a firefox-based browser, been like that for a long time for me. I think it's just a kind of imperfect technology, and if you searched their support forum you would see huge numbers of complaints about the same issue. This is one reason I mainly avoid sites that are using a turnstile or a capcha, the frequency of them failing repeatedly before finally passing users through based on no clear reason.

[back2themoon]

Well, at least these verification tests stop appearing once passed. So, it must be good practice to not clear cookies for websites using them. That's what I do anyway since most of them require logging in.

Of course, Cloudflare shouldn't make the cookie-clearing decision for us.

[Lucio Chiappetti]

it must be good practice to not clear cookies for websites using them. That's what I do anyway since most of them require logging in.

Do you mean not clearing them immediately, or not clearing them at end of session ?
Most likely the sites I frequent are unaffected by CF, but for the rest I have PM's preferences clearing cookies at exit, and I have also Cookies Exterminator which deletes cookies when a tab is closed (I have a handful of sites, like this forum, in CE whitelist).

[back2themoon]

Do you mean not clearing them immediately, or not clearing them at end of session ?

I mean to not clear them at all. Cookies Exterminator does allow that per site (whitelist). I didn't clear them anyway (due to the log in) but it definitively helps with Cloudflare, even though they may also perform additional checks (IP?) since even after having cleared cookies, you might be spared from immediate re-verification.

[sallylee]

Hi Moonchild,

My name is Sally Lee and I am the product manager for Challenges and Turnstile in Application Security at Cloudflare with Michael. I wanted to send you an invitation to the program via email but for some reason the email was blocked and so reaching out to you in this thread.

We’ve heard you and your users’ feedback on the forum, and we’re loosening the entry criteria for the Browser Developer Program. We’ve reflected on why we started this in the first place: to make it easier for browser teams to reach out to us directly without needing to file support tickets or hunt for a point of contact. We want this to be a space where collaboration feels natural, not like jumping through hoops. With that spirit in mind, we’re opening the door to welcome all browser projects. We’d love to work together and make this program something that helps improve not just how we support each other today, but how we build better processes going forward.

Below is the revised program outline:

Overview
- We’ll provide a private community space where participating browser developers can ask questions, receive updates, and engage directly with Cloudflare.
- We’ll share resources and collaborate with the browser teams on ensuring challenges work across various browsers.
- We will provide a testing Turnstile widget that has the full suite of detections that you can test your browser against without causing any issues for your users elsewhere. https://browser-compat.turnstile.workers.dev/

NOTE: This specific Turnstile widget on the testing site has the full detection suites and does not have the exceptions for Pale Moon that was put in place. Turnstile widgets in production still holds the exceptions for Pale Moon.


Entry criteria
- Your browser should have a operational version available.
- You’ll need to sign a one-time Browser Developer Program agreement, which is partly based on our code of conduct agreement and our community forum guidelines.
- If you have ways for us to incorporate your browser into our testing pipeline or somehow ensure that our deployments are not negatively impacting your browser, let’s discuss!


What we’re committing to
- We’ll provide early visibility into major detection changes that may affect browsers.
- We’ll treat accidental breakages of participating browsers as high priority.
- We’ll offer guidance, documentation, and a place to surface issues. We cannot guarantee handling of every eyeball having an issue as they may have unknown extended browser configurations beyond what we can test for. But if there are increased reports of your browser's users, you will have a place to report them to Cloudflare easily so we can efficiently troubleshoot.

Browser Developer Program Agreement
I meant to send the PDF via email but that was blocked. So let me know how you would best like to receive the agreement!

Program Application
Please fill out this quick form to ensure that your team members with the right email addresses have access to the Browser Developer Program in Cloudflare Community. We will create a dedicated space for you and your team in the Community forum and add you and your team members to that group. You and your team members must sign up to the Cloudflare community with the emails you provide to us.

I would like to forward this invitation to the Basilisk team as well. They can just fill out that form and I can send over the agreement after we get their contact emails. If you could pass the message along, I would really appreciate it!

Program Launch Blog Announcement
We are planning on launching a blog post soon to officially announce the program and invite other browsers! We would love to feature your browser as part of the program announcement. Please let me know if you consent to your browser name being featured on the blog post.

We are excited to collaborate with you!

[Moonchild]

Hello Sally, Thanks for reaching out.

I checked the bounce reason for your e-mail and it seems some of the CloudFlare MTA IPv6 addresses are blacklisted (it got flagged by spamhaus) and therefore our MTA refused it. I've updated our DNSBL checking and it should pass from this point forward, but CloudFlare should check for any false positive entries.
In particular, we hit the following error:

Code: Select all

550 mail from 2a00:1450:4864:20::22e refused by the CBL blacklist

You can attach PDF files to posts on the forum as well. I'd appreciate it if you could share the agreement with us. To do this, check under the post text area for the tabs "options" and "attachments", click on "attachments", and add files to the post with the relevant button there. You may also attach files by dragging and dropping them in the message box directly.
Please see earlier in this thread for initial responses to the general description already shared by Michael at the time; those are still valid and would be relevant for you to address as well.

As for using the Pale Moon name: feel free to mention it in your blog.

I'll address the rest of your post at a later point in time, after the Easter holiday.

[BenFenner]

We will create a dedicated space for you and your team in the Community forum

Is that the same CF forum that we are all too familiar with; currently using experimental web features and actively shunning/denying access to users of standards-compliant browsers like Pale Moon?

[Basilisk-Dev]

I would like to forward this invitation to the Basilisk team as well. They can just fill out that form and I can send over the agreement after we get their contact emails. If you could pass the message along, I would really appreciate it!

I have submitted the form for the Basilisk Browser.

Program Launch Blog Announcement
We are planning on launching a blog post soon to officially announce the program and invite other browsers! We would love to feature your browser as part of the program announcement. Please let me know if you consent to your browser name being featured on the blog post.

Feel free to use the Basilisk Browser name and associated images and logos as needed for your announcement.

Thanks!

[Nuck-TH]

Seems like after shutting public outcry, CF is back to business. I have cyclic challenge pages again.