-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Delton Barnes wrote: > Hello, > > There is a forum website I frequent in Tor Browser that uses two > CloudFlare domains. One (say "example.com") is the main website, > and the other (say "example.org") provides static content such as > images and JavaScript. > > A CloudFlare CAPTCHA is almost always presented when accessing > example.com. After completing it, example.com loads fine, but all > requests to example.org get a 403 response (as observed in Network > tab of Developer Toolbar). The result is the forum is unusable. > Strangely, if I manually enter any of the individual example.org > URLs that received a 403 response in the same tab, they load fine > (200 response). > > Has anyone encountered this problem? If so, is there a good > workaround? Usually I switch Tor circuits until I get one that does > not block example.org.
I have encountered this problem regularly, e.g. with HackerOne. The problem is that CloudFlare does not recognize the common session across the distinct domains, assumes that the requests to example.org are different to those from example.com, and returns a CAPTCHA. But you can't solve a CAPTCHA for an image URL loaded inside a page >_> If you were actually requesting example.org, you would see the CAPTCHA page. But because the Tor Browser Bundle uses a new circuit per domain name (in the tab's URL bar), you can't just open example.org in a new tab, solve the CAPTCHA, and then reload example.com, because the example.org CAPTCHA is associated with a different Tor circuit. I have notified the websites I have had this problem with, as well as CloudFlare, but until they provide some way for server operators to "link" domains together, so a request from an IP to example.com (that has had a CAPTCHA solved) followed by a request from that IP to example.org is recognized as the same session, then there isn't much that can be done. A possible workaround would be for Tor Browser to include an option that allows users to "open all CAPTCHAs on this page". It could look for all unique domains within a page, and open a tab (or pop-up window) for each through the same circuit. That would allow users to authenticate that site's Tor circuit with CloudFlare for all domains the site uses. But this would probably need to be repeated each time the circuit changes (like the CAPTCHAs already need to be). str4d > > Unfortunately I cannot share the website as doing so could identify > me. Also, I have been unsuccessful getting the administrator to > whitelist Tor (e.g., by using recently publicized GitHub script). > > Thanks, Delton > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVZlhXAAoJEBO17ljAn7PgTa4P/RJ80Lx85RJULHdKAxPQFA/2 3pvb5OGb9dTx1dJ52ot+RIWojLRje1iZYwcotaubj5K9Oqo4unzPXpq2ZrdPRxV3 R4F3u21OPR1T9IStnhTguCHKVhwqjpsdBjpBQ+RR/t6isv5c62LHQgWS11qHx15v kfbpvlaqJAN+YLze/QQ22IO1N9onERaXphA/nDyL8F2dxz32m6lvvxp1IXH7ywOt ZEv1PwqJATHOkTMOzCJ6+pNSdxb6rHCSS2Ss02WEGs6GGmyrm3eRQHao9bZNv+E0 AkH6AbLqric7S5ttfTGkvUwnChaBwmFXvVEqzH4E1I2k4oKZVyJU0mAo4cnrYqcA Sm3tXoKPWFKT6/si0+KaUrq8MAS6gzvhTjWo+lr/uc3k9XFr9KHOxCZKgKf9jfrh ck5mv8EHMuAhWJzBwBjxn5CePCLOA1JMpy9i+iOImFfkiG47ddmjS0TDhMVdInzx flkRJBTidK1FGWckDfWceG6g6yv00MJhWL6Euyq/EyCLuxwZPyLZWwjXeRvTZHc5 yN8e5rPDYyic6gX+FzGMpXTg2f4DiCdIEcADvGS0Dp8o9UGkYZ2mCWC9cVcTfOGc hjswwdsgyVfyAup2W3Io8EsxBeZVjC28pVBChM41VNYkd4l8NYywYjBb+Zm1p7F3 XgadM3gdgFbjZWcYz1k9 =rHi4 -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
