[Falkon] [Bug 497657] New: Cannot see several websites, like Medium or Perplexity
Resoluciones
bugzilla_noreply at kde.org
Wed Dec 18 18:18:53 GMT 2024
https://bugs.kde.org/show_bug.cgi?id=497657
Bug ID: 497657
Summary: Cannot see several websites, like Medium or Perplexity
Classification: Applications
Product: Falkon
Version: 3.1.0
Platform: Microsoft Windows
OS: Microsoft Windows
Status: REPORTED
Severity: critical
Priority: NOR
Component: general
Assignee: unassigned-bugs at kde.org
Reporter: resoluciones at gmail.com
Target Milestone: ---
SUMMARY
STEPS TO REPRODUCE
1. Entering addresses like medium or perplexity cannot see the sites!
2.
3.
OBSERVED RESULT
Skip to content
Cloudflare Docs
Search
Products
Learning
Status
Support
Log in
GitHub
X
YouTube
Select theme
WAF
Overview
Get started
Concepts
Traffic detections
Custom rules
Rate limiting rules
Managed rules
Additional tools
Account-level configuration
Analytics
Reference
Alerts
Phases
Challenges
Migration guides
Legacy features
Troubleshooting
Glossary
Changelog
On this page
Overview
Available challenges
Managed challenge (recommended)
JS challenge
Interactive Challenge
Browser support
Supported browsers
Browser extensions
Mobile device emulation
Resolve a challenge
Detecting a challenge page response
Private Access Tokens
Proxied hostnames
Multi-language support
Favicon customization
Custom Content Security Policy not supported
Common issues
Deprecated browser support
Referer header
Cross-origin resource sharing (CORS) preflight requests
Limitations
Was this helpful?
Products
WAF
Reference
Challenges
Challenges
When a website is protected by Cloudflare, there are several occasions when it
will challenge visitor traffic:
The visitor's IP address has shown suspicious behavior online (as tracked by
Project Honeypot ↗).
The website owner has blocked the country associated with the visitor's IP
address.
The visitor's actions have activated a WAF custom rule enabled by the website
owner.
If the visitor passes the challenge, their request is allowed. If they fail,
the request will be blocked.
Available challenges
Managed challenge (recommended)
Managed challenges are where Cloudflare dynamically chooses the appropriate
type of challenge based on the characteristics of a request. This helps avoid
CAPTCHAs ↗, which also reduces the lifetimes of human time spent solving
CAPTCHAs across the Internet.
Unless there are specific compatibility issues or other reasons to use other
types of challenges, you should use managed challenges for your various custom
rules.
Depending on the characteristics of a request, Cloudflare will choose an
appropriate type of challenge, which may include but is not limited to:
A non-interactive challenge page (similar to the current JS Challenge).
A custom interactive challenge (such as click a button).
Private Access Tokens (using recent Apple operating systems).
Warning
Using Cloudflare challenges along with Rules features may cause challenge
loops. Refer to Rules troubleshooting for more information.
Available products
Currently, Managed Challenge actions are available in the following security
products:
WAF custom rules
Rate limiting rules
WAF Managed Rules
Bot Fight Mode: You may also see Security Events with an Action taken of
Managed Challenge due to Cloudflare bot products.
HTTP DDoS Attack Protection
IP Access Rules
User Agent Blocking
Firewall rules (deprecated)
Rate Limiting (previous version, deprecated)
Turnstile
JS challenge
With a JS challenge, Cloudflare presents challenge page that requires no
interaction from a visitor, but rather JavaScript processing by their browser.
The visitor will have to wait until their browser finishes processing the
JavaScript, which should be less than five seconds.
Interactive Challenge
Interactive challenges require a visitor to interact with the challenge page,
presenting the visitor with an interactive challenge to solve. Cloudflare does
not recommend using Interactive Challenges.
For more on why Cloudflare does not recommend using Interactive Challenge, in
favor of Managed Challenge, refer to our blog ↗.
Browser support
When your application sends a challenge, your visitors either receive a
non-interactive or an interactive challenge page.
Supported browsers
If your visitors are using an up-to-date version of a major browser — such as
Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they
will receive the challenge correctly.
Challenges are not supported by Microsoft Internet Explorer.
If your visitors encounter issues using a major browser besides Internet
Explorer, they should upgrade their browser.
Browser extensions
If you have browser extensions, they might lead to unpassable challenge loops.
To fix, disable your extensions and reload the page.
Mobile device emulation
Challenges are not supported when device emulation is enabled on a browser, for
example, using the browser's developer tools.
Resolve a challenge
If a visitor encounters a challenge, Cloudflare employees cannot remove that
challenge. Only the website owner can configure their Cloudflare settings to
stop the challenge being presented.
When observing a Cloudflare Challenge page, a visitor could:
Successfully pass the challenge to visit the website.
Request the website owner to allow their IP address.
Scan their computer for malicious programs (it may be infected).
Check their antivirus or firewall service to make sure it is not blocking
access to the challenge resources (for example, images).
Note
Visitors must enable JavaScript and cookies on their browser to be able to pass
any type of challenge.
Detecting a challenge page response
When a request encounters a Cloudflare challenge page instead of the originally
anticipated response, the challenge page response (regardless of the challenge
page type) will have the cf-mitigated header present and set to challenge. This
header can be leveraged to detect if a response was challenged when making
fetch/XHR requests. This header provides a reliable way to identify whether a
response is a challenge or not, enabling a web application to take appropriate
action based on the result. For example, a front-end application encountering a
response from the backend may check the presence of this header value to handle
cases where challenge pages encountered unexpectedly.
Note
Regardless of the requested resource-type, the content-type of a challenge will
be text/html.
For the cf-mitigated header, challenge is the only valid value. The header is
set for all challenge page types.
To illustrate, here is a JavaScript code snippet that demonstrates how to use
the cf-mitigated header to detect whether a response was challenged:
fetch("/my-api-endpoint").then((response) => {
if (response.headers.get("cf-mitigated") === "challenge") {
// Handle challenged response
} else {
// Process response as usual
}
});
For additional help, refer to our FAQ for Challenges.
Private Access Tokens
When a user is presented with a challenge page, Cloudflare decides what
challenges need to be solved to prove they are human. While some challenges are
computationally complex or require interactivity, most of the challenges served
are invisible to the user.
Cloudflare uses results from the Private Access Token (PAT) to decide what
challenges users will see next. If a user presents a token, they will have an
easier time solving the challenge.
The challenge page is an interstitial page and users will see it regardless of
having a valid PAT or not. A PAT does not automatically solve a challenge. It
prevents certain challenges from being issued.
Proxied hostnames
If your hostname is proxied through Cloudflare, visitors may experience
challenges on your webpages.
Cloudflare issues challenges through the Challenge Platform, which is the same
underlying technology powering Turnstile.
In contrast to our Challenge page offerings, Turnstile allows you to run
challenges anywhere on your site in a less-intrusive way without requiring the
use of Cloudflare’s CDN.
Multi-language support
Cloudflare Challenge Platform can detect multiple languages and display the
localized challenge experience, which is determined by navigator.language
value. The Navigator.language read-only property ↗ returns a string
representing the preferred language of the user, usually the language of the
browser user interface. The supported languages are currently English, Arabic,
Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Indonesian,
Italian, Japanese, Korean, Persian/Farsi, Polish, Portuguese, Russian, Spanish,
Turkish.
Favicon customization
Cloudflare challenges take the favicon of your website using GET /favicon.ico
and displays it on the challenge page.
You can customize your favicon by using the HTML snippet below.
HTML element
<link rel="shortcut icon" href="<FAVICON_LINK>" />
Custom Content Security Policy not supported
You cannot set your own Content Security Policy (CSP) and/or Referer-Policy via
meta tags or Transform Rules in challenge pages.
If you are setting a CSP using Transform Rules for your entire website, you
should exclude URI paths starting with /cdn-cgi/challenge-platform/ in the rule
expression to avoid issues with challenges.
Common issues
Deprecated browser support
Challenges are not supported by Microsoft Internet Explorer. If you are
currently using Internet Explorer, try using another modern web browser
(Chrome, Safari, Firefox). If you are already using a modern web browser, make
sure it is using the latest version.
Referer header
When a request is sent with a referer header, the user will receive a challenge
page as a response. Upon solving the challenge page, the request with the
referer is sent to the origin, and the response to the request is served to the
user. The JavaScript on the response page may read the value of
document.referer, but it will be inaccurate. This affects tools such as Google
Analytics, which reads the referer from JavaScript.
You can add tracking scripts to challenge pages to capture the correct referer
header on the initial request.
Cross-origin resource sharing (CORS) preflight requests
Cross-origin resource sharing (CORS) preflight requests, or OPTIONS, exclude
user credentials that include cookies. As a result, the cf_clearance cookie
will not be sent with the request, causing it to fail to bypass a challenge
page (non-interactive, managed, or interactive challenge).
Limitations
Cloudflare challenges cannot support the following:
Browser extensions that modify the browser's User-Agent value or Web APIs such
as Canvas and WebGL.
Implementations where a domain serves a challenge page originally requested for
another domain.
Challenge pages cannot be embedded in cross-origin iframes.
Client software where the solve request of a Managed Challenge comes from a
different IP than the original IP a challenge request was issued to. For
example, if you receive the challenge from one IP and solve it using another
IP, the solve is not valid and you may encounter a challenge loop.
Was this helpful?
Edit page
Cloudflare Dashboard
Discord
Community
Learning Center
Support Portal
Cookie Preferences
EXPECTED RESULT
SOFTWARE/OS VERSIONS
Windows: W10
macOS:
(available in the Info Center app, or by running `kinfo` in a terminal window)
Linux/KDE Plasma:
KDE Plasma Version:
KDE Frameworks Version:
Qt Version:
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Unassigned-bugs
mailing list