←back to thread

Using Cloudflare on your website could be blocking RSS users

(openrss.org)
556 points campuscodi | 2 comments | 16 Oct 24 22:46 UTC | HN request time: 0s | source
Show context
amatecha ◴[17 Oct 24 06:43 UTC] No.41867018[source]
I get blocked from websites with some regularity, running Firefox with strict privacy settings, "resist fingerprinting" etc. on OpenBSD. They just give a 403 Forbidden with no explanation, but it's only ever on sites fronted by CloudFlare. Good times. Seems legit.
replies(13): >>41867245 #>>41867420 #>>41867658 #>>41868030 #>>41868383 #>>41868594 #>>41869190 #>>41869439 #>>41869685 #>>41869823 #>>41871086 #>>41873407 #>>41873926 #
pessimizer ◴[17 Oct 24 13:23 UTC] No.41869439[source]
Also, Cloudflare won't let you in if you forge your referer (it's nobody's business what site I'm coming from.) For years, you could just send the root of the site you were visiting, then last year somebody at Cloudflare flipped a switch and took a bite out of everyone's privacy. Now it's just endless reloading captchas.
replies(2): >>41869588 #>>41871887 #
zamadatix ◴[17 Oct 24 13:41 UTC] No.41869588[source]
Why go through that hassle instead of just removing the referer?
replies(1): >>41871044 #
1. bityard ◴[17 Oct 24 16:16 UTC] No.41871044{3}[source]
Lots of sites see an empty referrer and send you to their main page or marketing page. Which means you can't get anywhere else on their site without a valid referrer. They consider it a form of "hotlink" protection.

(I'm not saying I agree with it, just that it exists.)

replies(1): >>41872789 #
2. zamadatix ◴[17 Oct 24 19:09 UTC] No.41872789[source]
Fair and valid answer to my wording. Rewritten for what I meant to ask: "Why set referrer to the base of the destination origin instead of something like Referrer-Policy: strict-origin?". I.e. remove it completely for cross-origin instead of always making up that you came from the destination.

Though what you mention does beg the question "is there really much privacy gain in that over using Referrer-Policy: same-origin and having referrer based pages work right?" I suppose so if you're randomizing your identity in an untrackable way for each connection it could be attractive... though I think that'd trigger being suspected as a bot far before the lack of proper same origin info :p.