Cloudflare

Discussion of bugs in Seamonkey
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Cloudflare

Post by Frank Lion »

rainyd wrote:I think, it's probably not a bug in Seamonkey, however since yesterday, I can't login to Nexus Mods anymore
TPR75 wrote: Unfortunately, last week it was working for me but today I can't log-in
DerVVulfman wrote: The fault is not with these. And again, I have had not an issue to gain entry until two weeks ago. The fault lay here.
It's fine to ask for a workaround in SM Support, but this thread shouldn't have been posted in Bugs,..

... i.e. if this site worked a month ago for y'all and you haven't changed SeaMonkey versions since, then y'all already know damn well that this isn't a SM bug, but a problem with that website.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
TPR75
Posts: 1353
Joined: July 25th, 2011, 8:11 am
Location: Poland

Re: Cloudflare

Post by TPR75 »

Frank Lion wrote:... i.e. if this site worked a month ago for y'all and you haven't changed SeaMonkey versions since, then y'all already know damn well that this isn't a SM bug, but a problem with that website.
It's not a bug, it's a feature. Or actually lack of feature(-s) present in latest Firefox. So it should be in "SeaMonkey Features" subforum... :wink:
--
n0spam
Posts: 46
Joined: November 7th, 2020, 7:56 am

Re: Cloudflare

Post by n0spam »

frg wrote:There is nothing in the error log. Not sure what they want from SeaMonkey which is missing.
Most likely, something of this sec- shit, i.e. Sec-Fetch-Site[1] et al.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site
TPR75
Posts: 1353
Joined: July 25th, 2011, 8:11 am
Location: Poland

Re: Cloudflare

Post by TPR75 »

n0spam wrote:
frg wrote:There is nothing in the error log. Not sure what they want from SeaMonkey which is missing.
Most likely, something of this sec- shit, i.e. Sec-Fetch-Site[1] et al.

[1] https://developer.mozilla.org/en-US/doc ... Fetch-Site
Could be this?
https://bugzilla.mozilla.org/show_bug.cgi?id=1508292
--
n0spam
Posts: 46
Joined: November 7th, 2020, 7:56 am

Re: Cloudflare

Post by n0spam »

TPR75 wrote:
n0spam wrote:
frg wrote:There is nothing in the error log. Not sure what they want from SeaMonkey which is missing.
Most likely, something of this sec- shit, i.e. Sec-Fetch-Site[1] et al.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site
Could be this?
https://bugzilla.mozilla.org/show_bug.cgi?id=1508292
Yeah, most likely. Or it could be client hints (sec-ch-*). Or both. You never know to what lengths a bunch of useless di%@s trying to justify their existence could go.
Last edited by LIMPET235 on January 23rd, 2023, 6:29 am, edited 1 time in total.
Reason: A tad of text editing.
n0spam
Posts: 46
Joined: November 7th, 2020, 7:56 am

Re: Cloudflare

Post by n0spam »

Nope, sending sec-fetch-* and sec-ch-* (code below) doesn't help. Tried with a Chrome 97 and a Firefox 102 user-agent - slightly different flow, but still end up in an infinite loop. Although maybe they also are using TLS fingerprinting and deny access if it doesn't match the user-agent in the request headers, idk. OTOH, even with TLS fingerprinting it should've worked with a Firefox user-agent because both Firefox and SeaMonkey use the same TLS engine (or at least should use, if I'm interpreting "backported security stuff from the latest FF" in the release notes correctly), so the cipher list should be the same.
Anyway, that was as much time as I could afford wasting on these clowns, sorry.

Code: Select all

// Call obs.unregister() when done.
// Replace obs.observe_impl with your implementation if needed.
var obs = (function(){
var Cc = Components.classes, Ci = Components.interfaces, Cu = Components.utils;
var obs = {observe: function(subject, topic, data){return rc.observe_impl.apply(this, arguments);}};
var rc = {
	observe_impl: function(subject, topic, data){},
	register: function(){
		Cc["@mozilla.org/observer-service;1"].getService(Ci.nsIObserverService)
			.addObserver(obs, "http-on-modify-request", false);
	},
	unregister: function(){
		Cc["@mozilla.org/observer-service;1"].getService(Ci.nsIObserverService)
			.removeObserver(obs, "http-on-modify-request");
	},
};

rc.observe_impl = (function(){
	var log = console.error.bind(console);
	var matchers = [
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/scripts\/alpha\/invisible\.js/,
			headers: {
				"sec-fetch-dest": "script",
				"sec-fetch-mode": "no-cors",
				"sec-fetch-site": "same-origin",
			}
		},
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/scripts\/pica\.js/,
			headers: {
				"sec-fetch-dest": "worker",
				"sec-fetch-mode": "same-origin",
				"sec-fetch-site": "same-origin",
			}
		},
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/cv\/result\//,
			headers: {
				"sec-fetch-dest": "empty",
				"sec-fetch-mode": "cors",
				"sec-fetch-site": "same-origin",
				"origin": "https://users.nexusmods.com",
			}
		},
		{
			matcher: /users\.nexusmods\.com\/auth\/sign_in/,
			headers: {
				"sec-fetch-dest": "document",
				"sec-fetch-mode": "navigate",
				"sec-fetch-site": "same-origin",
				"sec-fetch-user": "?1",
				"origin": "https://users.nexusmods.com",
				"referer": "https://users.nexusmods.com/",
			}
		},
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/orchestrate\/jsch\/v1\?/,
			headers: {
				"sec-fetch-dest": "script",
				"sec-fetch-mode": "no-cors",
				"sec-fetch-site": "same-origin",
			}
		},
		{
			matcher: /\/cdn-cgi\/images\/trace\/jsch\/js\/transparent\.gif/,
			headers: {
				"sec-fetch-dest": "image",
				"sec-fetch-mode": "no-cors",
				"sec-fetch-site": "same-origin",
			}
		},
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/flow\/ov1\//,
			headers: {
				"sec-fetch-dest": "empty",
				"sec-fetch-mode": "cors",
				"sec-fetch-site": "same-origin",
				"origin": "https://users.nexusmods.com",
				"referer": "https://users.nexusmods.com/auth/sign_in",
			}
		},
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/img\//,
			headers: {
				"sec-fetch-dest": "image",
				"sec-fetch-mode": "no-cors",
				"sec-fetch-site": "same-origin",
				"referer": "https://users.nexusmods.com/auth/sign_in",
			}
		},
		{
			matcher: /\/cdn-cgi\/challenge-platform\/h\/g\/pat\//,
			headers: {
				"sec-fetch-dest": "empty",
				"sec-fetch-mode": "cors",
				"sec-fetch-site": "same-origin",
				"referer": "https://users.nexusmods.com/auth/sign_in",
			}
		},
	].map(function(o){
		function make_matcher(v) {
			if (typeof(v) === "function") { return v; }
			if (v instanceof RegExp) { return function(s){return v.test(s);}; }
			// Assume String.
			return function(s){return s == v;};
		}
		o.matches = make_matcher(o.matcher);
		return o;
	});
	return function (channel, topic, data) {
		if (topic !== "http-on-modify-request") { return; }
		channel.QueryInterface(Components.interfaces.nsIHttpChannel);
		channel.setRequestHeader("sec-ch-ua", '"Chromium";v="97", " Not;A Brand";v="99"', false);
		channel.setRequestHeader("sec-ch-ua-mobile", "?0", false);
		channel.setRequestHeader("sec-ch-ua-platform", '"Windows"', false);
		matchers.some(function(o){
			if ( ! o.matches(channel.URI.spec, channel)) { return; }
			var headers = o.headers;
			Object.keys(headers).forEach(function(h){
				headers.hasOwnProperty(h) && channel.setRequestHeader(h, headers[h], false);
			});
			return true;
		});
	};
})();

rc.register();
return rc;
})();
TPR75
Posts: 1353
Joined: July 25th, 2011, 8:11 am
Location: Poland

Re: Cloudflare

Post by TPR75 »

n0spam wrote:OTOH, even with TLS fingerprinting it should've worked with a Firefox user-agent because both Firefox and SeaMonkey use the same TLS engine (or at least should use, if I'm interpreting "backported security stuff from the latest FF" in the release notes correctly), so the cipher list should be the same.
Maybe I'm looking in wrong places but it looks like patch for bug 1508292 was not backported:
https://www.wg9s.com/comm-253/patches/s ... e/patches/

https://foss.heptapod.net/seamonkey/moz ... ch/default
--
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Cloudflare

Post by Frank Lion »

n0spam wrote:Nope, sending sec-fetch-* and sec-ch-* (code below) doesn't help. Tried with a Chrome 97 and a Firefox 102 user-agent - slightly different flow, but still end up in an infinite loop. Although maybe they also are using TLS fingerprinting and deny access if it doesn't match the user-agent in the request headers, idk. OTOH, even with TLS fingerprinting it should've worked with a Firefox user-agent because both Firefox and Sea
You're really, really overthinking all this. Complex problems often do not need complex solutions.

As has happened before, this latest stuff with Cloudflare is just a simple UA string fix.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
TPR75
Posts: 1353
Joined: July 25th, 2011, 8:11 am
Location: Poland

Re: Cloudflare

Post by TPR75 »

Frank Lion wrote:As has happened before, this latest stuff with Cloudflare is just a simple UA string fix.
I've tried overriding UA with:

Code: Select all

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
... and

Code: Select all

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
... and (latest Edge under Win10)

Code: Select all

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.61
For both Nexus Mods:

Code: Select all

general.useragent.override.nexusmods.com
... and Cloudflare:

Code: Select all

general.useragent.override.cloudflare.com
And as general override too.

It's not working. So, what did you do to make it work?
--
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Cloudflare

Post by Frank Lion »

Image

Still all think this is a SM bug?
TPR75 wrote: It's not working. So, what did you do to make it work?
Well, yesterday, I used a really old Firefox 60 UA to get an 'old browser' message that links to this - https://developers.cloudflare.com/funda ... er-support
If you are already using a major web browser, make sure it is using the latest version.
..which shows that you messing about with a Firefox 102 UA is never going to work. (it's 109 now)

Next, I....and here we get to the 'Give a Man a Fish' moment. ...As I've mentioned before, real world logic doesn't work with computer coding, especially with UA stuff. So this 'ive tried the latest Firefox UA and even that didn't work!!!!' is not going to cut it.

So, either you learn how computer code 'thinks' (possible after a while with theme coding) or use a scattergun approach (as I do) and try everything, irrespective of real world logic.

Good luck on your journey, which at least now you know is possible (and a lot quicker than writing many of the above posts) :)
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
TPR75
Posts: 1353
Joined: July 25th, 2011, 8:11 am
Location: Poland

Re: Cloudflare

Post by TPR75 »

Frank Lion wrote:Image

Still all think this is a SM bug?
TPR75 wrote: It's not working. So, what did you do to make it work?
Well, yesterday, I used a really old Firefox 60 UA to get an 'old browser' message that links to this - https://developers.cloudflare.com/funda ... er-support
If you are already using a major web browser, make sure it is using the latest version.
..which shows that you messing about with a Firefox 102 UA is never going to work. (it's 109 now)

Next, I....and here we get to the 'Give a Man a Fish' moment. ...As I've mentioned before, real world logic doesn't work with computer coding, especially with UA stuff. So this 'ive tried the latest Firefox UA and even that didn't work!!!!' is not going to cut it.

So, either you learn how computer code 'thinks' (possible after a while with theme coding) or use a scattergun approach (as I do) and try everything, irrespective of real world logic.

Good luck on your journey, which at least now you know is possible (and a lot quicker than writing many of the above posts) :)
I understand you like to think about yourself Top Cat...

Image

... but I just tried your UA:

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.14
... and it's not working (constant "checking").
Modified UA:

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
... gives:
"Your browser is out of date!
Update your browser to view this website correctly."

I'm asking You a question like for ElTxolo: do You have account there? Did you tried to really log-in?

I can display page with empty fields for login and password too. It's here:
https://users.nexusmods.com/

But filling them and proceeding will not work - it will fail on authentication step:
https://users.nexusmods.com/auth/sign_in

Actually, "LOG IN" button has this link:

Code: Select all

https://users.nexusmods.com/auth/continue?client_id=nexus&redirect_uri=https://www.nexusmods.com/oauth/callback&response_type=code&referrer=https%3A%2F%2Fwww.nexusmods.com%2F
https://users.nexusmods.com/auth/contin ... ods.com%2F

Image

So IF this really works for You then please write it here, step-by-step simple procedure. Maybe I'm missing something simple here...
--
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Cloudflare

Post by Frank Lion »

TPR75 wrote:I understand you like to think about yourself Top Cat...
Then you understand nothing.

I'm sick and tired, first in the Firefox forums and now here, of always dropping into threads with so-called 'magic bullet' solutions, even though I've explained countless times how I approach problems and that anyone can do the same. But, they never even try to.

tl:dr? It's precisely because I don't want to be any 'Top Cat' that I'm doing it this way, so that people think for themselves.

... but I just tried your UA:

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.14
.. and it's not working (constant "checking").
Yeah, because for me to post the right workaround UA here or in the screenshot is really likely.
do You have account there? Did you tried to really log-in?
Yes and yes. (see datestamp on screenshot) -

Image
IF this really works for You then please write it here
No.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Cloudflare

Post by Frank Lion »

rainyd wrote:I think, it's probably not a bug in Seamonkey...

...Is there any workaround to fix that issue?
Yep, use the following UA override -

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.9) Gecko/20100101 Goanna/4.3 Firefox/60.9 PaleMoon/28.6.1


NB. No big deal posting this thread in Bugs.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
rainyd
Posts: 46
Joined: November 14th, 2008, 1:22 pm

Re: Cloudflare

Post by rainyd »

Thank you warmly for the help, Frank.

Btw, I don't mind if this thread will be moved to more appropriate section.
User avatar
DerVVulfman
Posts: 16
Joined: January 16th, 2023, 1:38 pm

Re: Cloudflare

Post by DerVVulfman »

I am returning with another site now using CloudFlare, and it is an ip security site that now prohibits Seamonkey in its current state. And yes, I do have the latest 2.53.16 build. I am running the x64 build, and using Windows 10 - 16GB Ram.

As more and more sites begin using Cloudflare, more and more are people going to question using Seamonkey if this is not addressed.

So before anyone suggests that it is up to the end-user of Seamonkey to change the UA string, whatever that is, recognize that this is an apparent recurring issue. And if an alteration of the UA is all that is needed, then it should have been implemented into the builds by now.

There should be an understanding that not everyone should have need to visit the forums for problems that have appeared countless times. It should not require end-users to apply any such correction. And do understand that not everyone is tech-savvy to know how to even how to perform the edit to the UA string or where to even begin.

And if one wishes to state that it is not the responsibility of the Development Team working on Seamonkey, then they are flatly stating it is ours, the end-users. And that is unacceptable.

* * *

On a stupid side note, clicking the Seamonkey logo at the right edge of the Navigation Toolbar brings up the "Download Now: 2.53.16" webpage... even though it is currently the one in use. Who blundered there? :P
Questioning Seamonkey support for various reasons now... claims its the websites when other browsers function, states users need to apply UA overrides (fixing it themselves) whilst no other browser has such need, suggests using other browsers... and closes topics when inconvenient.
Locked