Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 3 comments | 05 Feb 25 19:08 UTC | HN request time: 0s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context

slothsarecool ◴[05 Feb 25 21:14 UTC] No.42955234[source]▶

>>42953508 (OP) #

Cloudflare is actually pretty upfront about which browsers they support. You can find the whole list right in their developer docs. This isn't some secret they're trying to hide from website owners or users - it's right here https://developers.cloudflare.com/waf/reference/cloudflare-c... - My guess is that there is no response because not one of the browsers you listed is supported.

Think about it this way: when a framework (many modern websites) or CAPTCHA/Challenge doesn't support an older or less common browser, it's not because someone's sitting there trying to keep people out. It's more likely they are trying to balance the maintenance costs and the hassle involved in allowing or working with whatever other many platforms there are (browsers in this case). At what point is a browser relevant? 1 user? 2 users? 100? Can you blame a company that accommodates for probably >99% of the traffic they usually see? I don't think so, but that's just me.

At the end, site owners can always look at their specific situation and decide how they want to handle it - stick with the default security settings or open things up through firewall rules. It's really up to them to figure out what works best for their users.

replies(3): >>42955422 #>>42956415 #>>42966774 #

1. chaoskitty ◴[06 Feb 25 21:40 UTC] No.42966774[source]▶

>>42955234 #

So you're saying that which browsers are supported on the Internet should be determined by a single, for-profit company? That's a very interesting and shorthsighted take.

I love how so many of these apologists talk about stuff like "maintenance costs", as though it's impossible to write code that's clean and works consistently across platforms / browsers. "Oh, no! Who'll think of the profits?!?"

If you had any technical knowledge, you'd know that "maintenance costs" are only a thing when you code shittily or intentionally target specific cases. A well written, cross-browser, cross-platform CAPTCHA shouldn't have so many browser specific edge cases that it needs constant "maintenance".

In other words, imagine you're arguing that a web page with a picture doesn't load on a browser because nobody bothered to test with that browser. Now imagine you're making the case for that browser being so obscure that nobody would expend the time and money. Instead, why aren't you pondering why any web site with a picture wouldn't be general enough to just work? What does that say about your agenda, and about the fact that you want to make excuses for this huge, striving-to-be-a-monopoly, for-profit company?

replies(2): >>43019938 #>>43027896 #

2. slothsarecool ◴[11 Feb 25 23:57 UTC] No.43019938[source]▶

>>42966774 (TP) #

I think it's pretty clear you have never worked on fraud protections or bot detections, otherwise you'd understand the struggles of supporting many environments with a single solution, you already have an opinion on this and by the way your messages are typed, it doesn't seem like any rational will change your ideas.

This is the internet and everybody is a field expert the moment they want to win an argument, best of luck with that.

3. usere9364382 ◴[12 Feb 25 18:01 UTC] No.43027896[source]▶

>>42966774 (TP) #

Indeed. Software can be written like math. 1 + 1 = 2, holds true for now and for all time, past and present.

↑