Cloudflare Verification Loop issues

[cannonmc]

From tinyURL this morning

I have submitted a ticket with Cloudflare about this.

[Frugal]

Re litigation.

Personally I loath the EU, but given that "Moonbase" is in an EU country I suggest an approach to the EU's Directorate General for Competition (DG Comp) might be worthwhile. DG Comp can be approached directly or via a national competition authority.

To me, it would appear CF actions are in breach of the EU Competition legislation (Treaty on the Functioning of the EU / TFUE), articles 101-106, particularly articles 101 & 102.

https://competition-policy.ec.europa.eu ... rticles_en

CF seem guilty of abuse of their dominant market position, and to be using exclusionary & exploitative tactics. And if they are in cahoots, in any shape or form, with Google to hurt or kill competition to Google's software, then both CF & Google are guilty of prohibited anti-competitive practices.

And yes, using EU Competition legislation can take years and years to reach resolution, however, given CF have a considerable presence in EU markets I would suggest coming to the attention of the EU's Competition Directorate is a headache they would wish to avoid. As rational actors I suspect they'd rather keep their heads down and not have to face the questions and probes that would ensue if the DG Comp started to take a look.

[Moonchild]

It's another avenue to consider for sure. Specifically 101(d) and 102(c) seem to be directly applicable here. CloudFlare's offering of "website security" is unequally applied to Chrome/Firefox/Edge/etc. and Pale Moon/Falkon/SeaMonkey/etc.
I'll think it over, and if anyone else feels like taking this up to the EU Directorate as well, please get in touch to coordinate efforts. Several small voices are easily ignored; a choir is not.

[Gemmaugr]

This is not the only reason, but CF really doesn't like something about how PM works with CSP.

It seems many many people ,with many different browsers, have this issue: https://community.cloudflare.com/t/turn ... /772672/11 (that site now apparently requires JavaScript AND CF Turnstile, so another browser is needed to view)

https://dash.cloudflare.com/login
What is the error message?

Refused to run the JavaScript URL because it violates the following Content Security Policy directive: “script-src ‘nonce-’ ‘unsafe-eval’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.
What is the issue you’re encountering

Is it even possible to implement Turnstile without all of these errors?
What steps have you taken to resolve the issue?

I have tried, while implementing this on my side, every possible permutation of Content Security Policy, however nothing works. Started trying to find a working example only to realise that everyone has the same issue including cloudflare’s own site?!

[Moonchild]

Could it be that the eval() handling rules have been updated and/or some chrome behavior has been promoted back to standard?

Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution.

This should be clear, right? You can't use a javascript:{code here} URL if not allowing inline execution of scripting via CSP.
javascript: is a navigation request as well as a script request, and the spec says:

If directive’s inline check returns "Allowed" when executed upon null, "navigation" and navigation request’s current URL, skip to the next directive.

So it needs to be allowed for the global context, navigation requests and the current page context, or it should error. Because of the inherent danger of the javascript: protocol, this very strict check makes sense.

It wouldn't surprise me if Chrome doesn't adhere to this (I can imagine some tracking/ad scripting wanting to use this bypass, for example). Of course I'd be reluctant to deliberately weaken our CSP support just to satisfy CF's check -- and who knows it may then fail because we're "too lenient" in the future...
CSP is and always has been very tricky to get right, and has always been very implementation-dependent (because "major" browsers kept making exceptions to rules).

Once again though, this kind of deeply technical thing requires us to have a dialogue with the CF bot detection people so we can know what exactly they are expecting, why their check is done the way it is, possible workarounds, and if that is in line with the spec and/or something we are doing different. But, since that dialogue doesn't exist...

[sindi]

We were just told by our Fastmail support person that "The problem lies with Palemoon. They will have to update their Browser to Support Cloudflare scripts". Please create and post an installation file with Cloudflare and AVX support for Windows and Puuppylinux.

Fastmail tells me our 33.2 Palemoon for linux should be updated. Warn people at the download site that the installation file is missing, and will not install 33.6 to Windows 10 because it does not have AVX. We cannot update 33.2 to 33.6 without AVX (Windows 10) or Cloudflare (Puppy Linux).

[sindi]

I will wait until Palemoon is repaired to work with sites requiring AVX (Windows 10) or Cloudflare (Puppy Linux).

[Moonchild]

They will have to update their Browser to Support Cloudflare scripts

Sorry, but we're not living in the upside-down.
(also, as already stated before, without a dialogue with CF, and no publication of details of their checks -- which they won't do -- it's not even possible to do this)

[BenFenner]

Fastmail tells me our 33.2 Palemoon for linux should be updated. Warn people at the download site that the installation file is missing, and will not install 33.6 to Windows 10 because it does not have AVX. We cannot update 33.2 to 33.6 without AVX (Windows 10) or Cloudflare (Puppy Linux).

I will wait until Palemoon is repaired to work with sites requiring AVX (Windows 10) or Cloudflare (Puppy Linux).

If I am following this correctly, it sounds like Fastmail needs to consider the SSE2 builds?
Or maybe it's you that needs to do so?
Either way, this should not be a show stopper.

Windows SSE2 buildes: https://ftp2.palemoon.org/avx
Linux SSE2 builds: https://ftp2.palemoon.org/avx/linux

Source: viewtopic.php?f=40&t=27873

[BenFenner]

Sorry, but we're not living in the upside-down.
(also, as already stated before, without a dialogue with CF, and no publication of details of their checks -- which they won't do -- it's not even possible to do this)

I'd have expected more from Fastmail. I thought they had their heads screwed on properly. Seems maybe not so much...

[jouven]

"But wait it gets better" moment https://www.purpleculture.net/dictionar ... =%E4%B8%80 "challenge loops" with the latest ungoogled-chroumium (133.0.6943.141) and firefox-esr (128.7.0esr).

[sindi]

The puppylinux laptop that is not usable at two sites with Palemoon works perfectly with Firefox 129 for 32-bit linux.
Someone who understands Cloudflare should be able to make Palemoon 33.7 function with Cloudflare and AVX.

I just used Firefox on this laptop to update my Seedsavers profile with the current correct information, and to log into callcentric, with automatic saving of new or changed login info. It was much easier to delete or edit login and password info.

[Moonchild]

"challenge loops" with the latest ungoogled-chromium (133.0.6943.141) and firefox-esr (128.7.0esr).

Considering the pretty lengthy "requirements" CloudFlare has posted for challenges to work, it does seem like they are literally hell-bent on destroying their setup's compatibility for users not on Chrome, Edge or Safari, with Firefox as an afterthought (so basically Google, Microsoft and Apple is all they care about). If you are not using one of their defined "major browsers", If you are using extensions, if you use custom page CSP, if you restrict scripting or cookies, if your website relies on cross-domain implementations, if it relies on cross-origin frames or if you are using an asymmetric IP setup (like some satellite internet uses), it could fail. That seems way too fragile for me, and way beyond what would be necessary for a "bot check" or detection of "bad traffic".
They also don't seem to understand where Firefox ESR and other LTSC software tends to be used (common in high-sec or complex environments)...

Browser support

When your application sends a challenge, your visitors either receive a non-interactive or an interactive challenge page.

Supported browsers

If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly.

Challenges are not supported by Microsoft Internet Explorer.

If your visitors encounter issues using a major browser besides Internet Explorer, they should upgrade their browser.

Browser extensions

If you have browser extensions, they might lead to unpassable challenge loops. To fix, disable your extensions and reload the page.

Mobile device emulation

Challenges are not supported when device emulation is enabled on a browser, for example, using the browser's developer tools.

Resolve a challenge

If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented.

When observing a Cloudflare Challenge page, a visitor could:

• Successfully pass the challenge to visit the website.
• Request the website owner to allow their IP address.
• Scan their computer for malicious programs (it may be infected).
• Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images).

Note

Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge.

{...}

Custom Content Security Policy not supported

You cannot set your own Content Security Policy (CSP) and/or Referer-Policy via meta tags or Transform Rules in challenge pages.

If you are setting a CSP using Transform Rules for your entire website, you should exclude URI paths starting with /cdn-cgi/challenge-platform/ in the rule expression to avoid issues with challenges.

{...}

Limitations

Cloudflare challenges cannot support the following:

• Browser extensions that modify the browser's User-Agent value or Web APIs such as Canvas and WebGL.
• Implementations where a domain serves a challenge page originally requested for another domain.
• Challenge pages cannot be embedded in cross-origin iframes.
• Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a challenge request was issued to. For example, if you receive the challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a challenge loop.

[frostknight]

Does PM use Google's API?

I tend to bout it, in my opinion anyhow

Seems I misposed, I meant I dobut it. lol

[flamelord]

I would like to notify you guys that 4chan has dropped Cloudflare.
This is great news! With this 90% of my browsing problems are fixed .

EDIT: Cloudflare was only gone from 4chan for fucking 10 minutes and now it's fucking back
Are these fucking clowns trolling me? I am so fucking mad
They will hear from me yet

EDIT 2: Now CF captcha is gone from 4chan again.
WTF is going on with this retarded site?
I really hope this time it's for good !!!!

[moonbat]

Off-topic:

I meant I dobut it

You still ended up misspelling it

[Moonchild]

4chan

WTF is going on with this retarded site?

I've wondered that for years!

Off-topic:
Critical note: I understand you're mad, but please dial down the level/number of expletives in your posts.

[back2themoon]

Off-topic:

I would like to notify you guys that 4chan has dropped Cloudflare. This is great news! With this 90% of my browsing problems are fixed ... ...WTF is going on with this retarded site?

I'd stop complaining about 4chan and start worrying about my browsing habits. Based on your own words, that is.

[LuftWafflePilot]

Off-topic:
I might be out of the loop, but isn't 4chan the definition of the sewer of the internet? Only racism, trolling, hatespeech, conspiracy theories, tentacles and porn are to be found there. Why would anyone even open that site is beyond me.

[Moonchild]

Off-topic:

I might be out of the loop, but isn't 4chan the definition of the sewer of the internet? Only racism, trolling, hatespeech, conspiracy theories, tentacles and porn are to be found there. Why would anyone even open that site is beyond me.

To each their own. Let's not make this about people's browsing habits.