←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 1 comments | 05 Feb 25 19:08 UTC | HN request time: 0s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
tibbar ◴[05 Feb 25 21:12 UTC] No.42955200[source]
This echoes the user agent checking that was prevalent in past times. Websites would limit features and sometimes refuse to render for the "wrong" browser, even if that browser had the ability to display the website just fine. So browsers started pretending to be other browsers in their user agents. Case in point - my Chrome browser, running on an M3 mac, has the following user agent:

"'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36'"

That means my browser is pretending to be Firefox AND Safari on an Intel chip.

I don't know what features Cloudflare uses to determine what browser you're on, or if perhaps it's sophisticated enough to get past the user agent spoofing, but it's all rather funny and reminiscent just the same.

replies(7): >>42955304 #>>42955320 #>>42956442 #>>42959877 #>>42961242 #>>42963248 #>>42965661 #
wongarsu ◴[05 Feb 25 22:45 UTC] No.42956442[source]
They are pretending to be an ancient Mozilla version from the time after Netscape but before Firefox, KHTML (which was forked to webkit), Firefox (Gecko engine), Chrome and Safari. The only piece of browser history it's missing is somehow pretending to be IE.
replies(2): >>42957582 #>>42959047 #
tibbar ◴[06 Feb 25 04:21 UTC] No.42959047[source]
Amusingly, I also just realized that even the operating system is spoofed here! I'm on macOS 14, yet the user agent claims "Mac OS X" 10.15. It's a pretty funny situation, and clearly for the sole benefit of very old websites and libraries performing dubious checks.
replies(1): >>42959773 #
1. zerocrates ◴[06 Feb 25 06:52 UTC] No.42959773{3}[source]
I don't know if they still do it, but the Apple Silicon Macs also lied about their architecture and said they're Intel. Truth is not the guiding principle of the User-Agent (or all the JS navigator properties, or anything else easy to use to check this kind of thing).