Cloudflare challenges only work in incognito (with all extensions)
I've been having an issue for a while now where the cloudflare challenges that ask you to click the check mark to "verify your connection is secure" would just endlessly ask me to click the button and never continue. Sometimes it would say to unblock access to challenges.cloudflare.com.
But if I a launch an incognito window I can visit website with the challenge and it won't even ask! I've added all my extensions to run in incognito mode and everything still works, I can visit the websites in incognito just fine. So the one changing variable is incognito vs non-incognito.
I can have two windows open, one incognito and one not, and browse to the same website and the non-incog window will fail but the incog will just go to the site.
I thought incognito was supposed to only affect the session storage? Does it silently change other things to the running environment of the browser (about:config options, slightly different extension configs)?
Anyone know why this small change would suddenly allow cloudflare challenges to work?
Isisombulu esikhethiweyo
After some testing with a local web server and disabling the extensions one-by-one, the problem one is the user-agent spoofer. It appears that even after specifically enabling it to run (and it does show in the toolbar) in incognito windows it actually just doesn't run at all. The HTTP user agent is the original when making requests.
Very strange behavior from this extension, and I did just see a review on it that said it just flat out breaks cloudflare. Looks like I will be uninstalling that.
Funda le mpendulo kwimeko leyo 👍 4All Replies (7)
The Multi-Account Containers extension does not work in private windows even with permission. Others may be similar so you should try disabling your extensions.
zeroknight said
The Multi-Account Containers extension does not work in private windows even with permission. Others may be similar so you should try disabling your extensions.
The only extensions I have installed are ublock origin, umatrix, dark reader, and User-agent switcher. I have enabled all of these to run in incognito and the cloudflare challenges still work with each of them operating just as in the non-incognito window.
Are you saying that incognito actually changes the behavior/functions of extensions? Because I can think of no other reason to test with the non-incognito window with extensions disabled. Regardless, I will test it out when I find another site with the challenge.
Isisombululo esiKhethiweyo
After some testing with a local web server and disabling the extensions one-by-one, the problem one is the user-agent spoofer. It appears that even after specifically enabling it to run (and it does show in the toolbar) in incognito windows it actually just doesn't run at all. The HTTP user agent is the original when making requests.
Very strange behavior from this extension, and I did just see a review on it that said it just flat out breaks cloudflare. Looks like I will be uninstalling that.
Do you mean User-Agent Switcher and Manager? That works for me in private windows.
Anti-bot protection is likely to reject user-agent modifications.
zeroknight said
Do you mean User-Agent Switcher and Manager? That works for me in private windows. Anti-bot protection is likely to reject user-agent modifications.
Yes, I am using that user-agent switcher extension. I did test it in a private window, and my actual user-agent string was used. Not the one that the extension was supposed to supply despite the extension being active and saying it was using my chosen spoofed agent.
But I think the problem is the user agent extension was unable to spoof all the ways a site can identify the box. So I guess cloudflare is more advanced at fingerprinting than that extension is at spoofing. Again, there is already a published review on the extension confirming someone else having the same issue as me.
The User-Agent Switcher description is rather misleading:
"making it impossible for websites to know specific details about your browsing arrangement."
This gives the impression it changes the whole browser fingerprint but it only changes the request headers which will not fool the likes of Cloudflare. The request headers are changed for me in private windows.