CloudFlare discussion thread

[Basilisk-Dev]

Could you confirm if you are still experiencing issues with Basilisk at this time? If not, can you please share as many details as you can around what you are observing and on what setup.

I am still experiencing issues with Basilisk, yes. I have verified these issues with both a brand new, clean profile and my normal profile with my preferred add-ons installed.

To replicate the issue do the following:
* Browse to https://drunkenslug.com/
* You will see the "Verifying you are human. This may take a few seconds." Cloudflare verification page.
* The tab basically crashes until the browser asks me to stop the JavaScript that is running on the page.

This is the exact same behavior that was experienced in Pale Moon until the most recent change was made that allowed the checks to pass in Pale Moon.

If I browse to about:config and create a new config string called "general.useragent.override.challenges.cloudflare.com" and set the value to a Pale Moon user agent I am able to pass the check in Basilisk.

This indicates to me that the issue is likely related to user agent sniffing. It seems to be checking for a Pale Moon user agent, but not for a Basilisk user agent.

For reference, here is the Pale Moon useragent I used: Mozilla/5.0 (Macintosh; Intel Mac OS X 15.3; rv:128.0) Gecko/20100101 Goanna/6.7 Firefox/128.0 PaleMoon/33.6.1

Also, here is my Basilisk User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 15.3; rv:128) Gecko/20100101 Goanna/6.7 Firefox/128 Basilisk/20250220

[billmcct]

Not everything is fully working in Pale Moon. Such as:

https://www.betus.com.pa/authentication/login

It wont even show the captcha.

[Drugwash]

Not everything is fully working in Pale Moon. Such as:

https://www.betus.com.pa/authentication/login

It wont even show the captcha.

First of all that site uses a self-signed certificate which Pale Moon flags:

Untrusted_Connection_-_2025-03-20_17.40.15.png

Unfortunately after allowing as exception I got an official notice from my government that I'm not allowed to access that site - so can't confirm your claim. Anyone not in the US please be aware:

forbidden_-_2025-03-20_17.46.25.png

[andyprough]

Not everything is fully working in Pale Moon. Such as:

https://www.betus.com.pa/authentication/login

It wont even show the captcha.

The Cloudflare verification box worked for me in a clean new profile. Is there an extra capcha on that page if you try to log in with credentials?

2025-03-20_10-46.jpg

[biopsin]

A Pale Moon build with disabled npapi, with a default new profile wont pass unfortunatly, not shure if this a site spesific setting or a general issue. viewtopic.php?f=3&t=32045&p=260969#p260969

Edit: Its also a unofficial branding to be clear and might be related to viewtopic.php?f=5&t=31768&p=256676&hili ... ng#p256676

[back2themoon]

https://www.betus.com.pa/authentication/login

It wont even show the captcha.

Works fine here. If it doesn't show, perhaps you are blocking it in some way.

[billmcct]

https://www.betus.com.pa/authentication/login

It wont even show the captcha.

Works fine here. If it doesn't show, perhaps you are blocking it in some way.

I got it figured out. I allowed everything in UBO and the captcha showed up.
I then after logging in I went to CookieKeeper and protected the CF cookies so they wont be deleted.

[frostknight]

All good, this is hard for us too as this whole situation is not our desired outcome.

Could you confirm if you are still experiencing issues with Basilisk at this time? If not, can you please share as many details as you can around what you are observing and on what setup.

In any case, its a nice start that palemoon will at least work now with it. I am sure you will get both working.

[Moonchild]

Pale Moon lacks support for these two functions:

• canvas fillText()

• DomRect.toJSON()

I just looked into canvas fillText() to kick this off, and I'm not sure why the CloudFlare checks think we don't support fillText() for canvas -- we do! In fact this has been part of our engine since the start.

[Kris_88]

I just looked into canvas fillText() to kick this off, and I'm not sure why the CloudFlare checks think we don't support fillText().

Try this document in Pale Moon and MS Edge.
Pale Moon returns nsresult: "0x80004005 (NS_ERROR_FAILURE)

Code: Select all

<html>
<head>
</head>
<body>
<script>
var ifr = document.createElement('iframe');
document.body.appendChild(ifr);
var doc = ifr.contentWindow.document;
var cnv = doc.createElement('canvas');
cnv.width = 100;
cnv.height = 100;
doc.body.appendChild(cnv);
var ctx = cnv.getContext("2d");
try { ctx.fillText('test',1,1); }  catch(e) { alert(e); };
</script>
</body>
</html>

[Kris_88]

Actually, we should wait for the iframe to load. Then it works. But, Cloudflare gets an NS_ERROR_FAILURE and probably doesn't wait for the iframe to load.
Let's see what mstremante says...

Code: Select all

<html>
<head>
</head>
<body>

<script>
var ifr = document.createElement('iframe');
ifr.onload = function() {

  var doc = ifr.contentWindow.document;
  var cnv = doc.createElement('canvas');
  cnv.width = 100;
  cnv.height = 100;
  doc.body.appendChild(cnv);
  var ctx = cnv.getContext("2d");
  try { ctx.fillText('test',1,10); }  catch(e) { alert(e); };
};

document.body.appendChild(ifr);
</script>

</body>
</html>

[gepus]

Off-topic:

Unfortunately after allowing as exception I got an official notice from my government that I'm not allowed to access that site - so can't confirm your claim. Anyone not in the US please be aware:
forbidden_-_2025-03-20_17.46.25.png

No problem accessing the site from abroad (DE). No need for allowing an exception for the cert.
(Your government is kindly protecting you. )

[Moonchild]

Actually, we should wait for the iframe to load. Then it works. But, Cloudflare gets an NS_ERROR_FAILURE and probably doesn't wait for the iframe to load.

Setting up an iframe takes time! Telling the browser to create a new document context and then immediately shoving elements in it assumes it would be a synchronous process; it isn't.
If you don't allow the iframe enough time to be set up, then the canvas context will not yet be valid or cannot yet be created. The context might also not be valid if there is no active display ("display:none" for example will not necessarily create a context to use and/or behave unexpectedly). All of this has to do with the necessary trade-offs for performance in a rendering engine, too. This will be very implementation-dependent.

[Kris_88]

The context might also not be valid if there is no active display ("display:none" for example will not necessarily create a context to use and/or behave unexpectedly).

Oh, yes, they have canvas with "visibility:hidden". Maybe that's the reason. I can't see everything in their code, otherwise it would take a lot of time. But I see the NS_ERROR_FAILURE error, and the canvas is definitely in the about:blank iframe.

EDIT:

No, the problem is probably in waiting for the iframe.
cnv.setAttribute('style', "visibility:hidden;") hides the canvas but does not prevent the example from working if we are waiting for the iframe to load.

[Kris_88]

Okay... let Cloudflare figure it out on its own. I'm done wasting my time on this thankless task...

[Kris_88]

And, yes, to finish with this, from what I saw.

1) window.structuredClone([ BigInt ])
Exception: DataCloneError: The object could not be cloned.
This is a legitimate error, apparently part of their checks.

2) SVGGElement.getBBox()
As far as I remember, there was NS_ERROR_FAILURE here too.
I don't know here. Either something is not implemented in Pale Moon or they are again trying to do something with the element before it is ready...

[Moonchild]

I'm done wasting my time on this thankless task...

It's not your job to do this for them, anyway. Not like you're one of their employees who get paid for this.

[billmcct]

Wonder what this is going to do to PM and other browsers?

https://www.bleepingcomputer.com/news/s ... endpoints/

[Moonchild]

Wonder what this is going to do to PM and other browsers?

Absolutely nothing. This is only relevant for those CF clients using their CF API. Aside from that Pale Moon and other browsers should have no issue using https to the TLS standards used by CF.

[mstremante]

I am still experiencing issues with Basilisk, yes. I have verified these issues with both a brand new, clean profile and my normal profile with my preferred add-ons installed.

Hi Basilisk-Dev, we did test Pale Moon and Basilisk before deploying. We do check the UA, but not just for "Basilisk".

Yours: Mozilla/5.0 (Macintosh; Intel Mac OS X 15.3; rv:128) Gecko/20100101 Goanna/6.7 Firefox/128 Basilisk/20250220
Expected: Mozilla/5.0 (Macintosh; Intel Mac OS X 15.3; rv:115.0) Gecko/20100101 Goanna/6.7 Firefox/115.0 Basilisk/20250220

Build numbers aside, do different builds have different formats? The exact syntax tripping up our logic here currently is "Firefox/128" as opposed to "Firefox/128.0".

We're also spinning up a page with a Turnstile widget which has no special Pale Moon (and similar browsers) exceptions to make testing easier. Will provide more updates as soon as possible.