Browser Integrity Check broken

If you see this error, as reported on the thread, (Reason: CORS header 'Access-Control-Allow-Origin' missing), that means features like always use https or automatic https rewrites are enabled and the browser chose not to load the resource based on the missing CORS policy.

1 Like

In that case Cloudflare needs to add the missing CORS policy headers. Do you by chance have an ETA on that fix?

The browser behavior you’re describing sounds to me like properly-secure operation. Any browser that loads insecure resources from a secure page is either broken or misconfigured. Any system that requires such behavior is defective and needs to be fixed. Mixed-content may have been acceptable a decade ago, but it is very much NOT acceptable now.

In any case, I don’t have anything like what you’ve described enabled in the clean testing profile that is getting blocked.

I’m not entirely sure I agree with your stance on this - at a glance, the User-Agent suggests that this browser is using a Firefox build from 2019 but from using it and what I can see on the release notes, there’s multiple updates in the past that fake the User-Agent or Firefox version to get around compatibility issues.

This seems very much like an issue with the browser not keeping up-to-date with the way that the internet, and the vast majority of websites, are working nowadays. Intentionally reducing the complexity of the Managed Challenges means making Cloudflare weaker against automated traffic, and that isn’t an objective they should pursue.

The maintainer of the browser should reach out and see what part of the browser is failing the checks that every modern browser is handling just fine. If the vast majority of the web works fine but edge-case browsers that are intentionally not supporting the modern internet & using ancient browser bases don’t, I think it’s clear who the onus is on to fix that issue.

Hmm, I wouldn’t be quite so sure.
It’s not only about Pale Moon. Not even latest Firefox ESR (fork) is passing their “browser check”.
Wonder which three-letter agency they are also working for.

The latest ESR download from Firefox’s website supports these checks just fine and has no issues loading the website.

I haven’t been able to observe any CORS errors when looping on the managed challenges.

I don’t see where @cloonan is indicating that should be the case? CORS and Mixed Content are not one and the same.

And as an off-topic aside, please refrain from making comments like this - the community is a social platform where you’re receiving free support and advice, negative comments make this topic feel like a hostile environment where people won’t want to help you since they’ll probably be the subject of unfriendly replies.


Please provide me the contact details for someone at Cloudflare technical support so I can report this outage in a more appropriate place. It seems this was not the proper place to try to report this outage.

Thank you for your time.

The options depend on your plan -

However, I suspect that you won’t get the reply that you’re hoping for from them.

Your user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Goanna/4.8 Firefox/68.0 PaleMoon/29.4.6

Firefox ESR 68.0 is more than End of Life and was superseded by ESR 78.0, which is also End of Life - only ESR 91.0 and beyond is actually supported nowadays.

Cloudflare provide the tools to owners of websites - such as - and they won’t overrule a customer’s settings in any scenarios.

One of the main points of the Browser Integrity Check is to prevent User-Agent spoofing, which the browser in question seems to be a big fan of.

Updated several site-specific user-agent overrides for web compatibility.
Updated some site-specific user-agent overrides for web compatibility.
Updated several site-specific user-agent overrides for web compatibility.
Updated the included site-specific user-agent overrides for a number of websites that need them.
Improved reporting of the operating system in site-specific user-agent overrides.
Updated the WhatsApp Web site-specific user-agent override to respond to Google refusing access based on the old string.
Updated the DropBox useragent override to solve login issues.
Updated the useragent for to work around their “Only with Firefox” discrimination preventing users from downloading themes, old versions of extensions, and other files with Pale Moon.

The list could go on but we’d quickly get bored of reading through it - as far as browser integrity check goes, it’s doing it’s job.

As far as all of these patches to overwrite specific incompatibilities with a User-Agent string, I’d advise the maintainer to fix the issues at hand since these incompatibilities don’t spring out of nowhere - ESR 68.0 is extremely out of date and can’t be expected to work.

It’s up to the site owner if they think losing traffic from old/incompatible browsers is enough to disable Browser Integrity Check - Cloudflare will not make that decision for them.


To be clearl @KianNH seems to imply the browser is misleading as to its version and it is failing a Browser Integrity Check as a result. Is that actually true? If so there doesn’t seem to be a reason to report BIC is working as designed.


As requested I changed the option that sends an (old) Firefox version string in the user agent from the default “Firefox compatibility” mode to “native” mode. I tried to load and still got the redirect loop. Ray ID: 70647064fe3f8134

The user agent from the browser is as follows:
Mozilla/5.0 (X11; Linux x86_64; rv:4.8) Goanna/20220410 PaleMoon/29.4.6

No reference to the old Firefox version and it still doesn’t work. The only reason the developer added that was because may sites make the questionable decision to rely on information in the user agent string to decide just how badly they can violate proper web standards. More sites fail to work properly with the UA set to native mode than with it set to Firefox compatibility.

Again, I ask, please provide me with a way to contact someone in Cloudflare technical support who is willing and able to fix this outage. It’s clear from your constant negative posts you only want to try to blame someone else.

This topic has NOT been solved. Please remove the solved status, and please refrain from marking a post which is very clearly not a solution as a solution.


1 Like

Intentionally, this should not work. As referred to before, spoofed and fake User-Agents can and should be challenged by Browser Integrity Check.

Browser Integrity Check has methods to make sure that your browser is actually what you’re saying it is - and if it decides that you’re lying, you should fully expect to receive a challenge page.

Edit: to clarify, here is an example. It is fully expected that I will be stuck here (and I am) since my User-Agent isn’t truthful.

Be that as it may, the supposedly improper web standards are supported by all mainstream browsers and hence don’t have any issues.

Whilst we might have differing opinions on what should and shouldn’t be a standard, that isn’t a decision that can be made by a single browser. We wouldn’t break the internet for the minority of internet users, would we?

As per Browser Version Market Share Worldwide | Statcounter Global Stats, Samsung Internet 16.2 is vastly more popular yet makes up 1.94% of the collected user agents. This is without going into the specifics of how often this ‘Pale Moon’ browser will be seen on the internet.

A browser that is intentionally deviating from how the rest of the common browsers works cannot expect to receive the same level as support - especially when delving into years and years of patching an EoL base (ESR 68.0) that was created by someone else (Mozilla).

The browser is saying it’s Firefox - and it isn’t - and should expect to be challenged on that.

We should agree to disagree - but there is no arguing that if an edge-case browser is having issues due to their own development philosophy, they should be the ones who get up-to-date with almost 3 years of changes in Firefox. is the only way to contact Cloudflare support - if you do not have a zone then you are not a customer of Cloudflare, so there is no obligation of support being available to you.

The site owners whose websites you are having issues with however are a customer of Cloudflare - that’s why it’s recommended you report it to them and they can go through the proper channels.

There is no way for you to get in direct contact with technical support without a paid plan, so please defer that task to the site owners who will be able to do that for you.

1 Like

In “native” mode the user agent is not spoofed or faked. The problem isn’t the challenge, it’s the fact that completing the challenge doesn’t allow access to the website. Also, isn’t it rather asinine to rely on something that, as you’ve made crystal clear, is so very easily faked? It’s sad that I could more easily code a script that could walk through the Browser Integrity Check than get my real web browser to pass the check.

So “less popular” browsers should be actively blocked? If everyone had that mindset we’d only have three browsers right now: Edge, Safari, and Samsung Internet. I’ll pass on the walled garden that would turn in to, thank you very much.

Great. So my options are either use browsers that can’t be set not to hemorrhage private information to the likes of Cloudflare, or get maliciously blocked by Cloudflare. I’ve always believed Cloudflare is the single most toxic thing on the internet today (even including social media and the assorted nastiness on Tor) and this thread really serves to drive my point home.

1 Like

Precisely - it is very easy to fake, so the browser integrity check exists to make sure it isn’t. That is the purpose of the security feature, no?

In that case, if you are not satisfied with the response you’ve got from Cloudflare, advise the Pale Moon maintainer to add this in.

Never said this - Pale Moon is impersonating a 3 year old version of Firefox when it isn’t Firefox. That is the issue and what I am saying is that Pale Moon does not warrant an exclusion or any special workarounds.

Use Chromium? It’s Google Chrome, without the Google, and is fully open-source for you to audit yourself whilst actually keeping up-to-date with the internet standards.

These are the negative comments that are unlikely to get anyone from Cloudflare to go out of their way to help you - when the entire thread can be summarized as you bashing the company and their livelihoods.

The Browser Integrity Check makes sure a browser is who it says it is - Pale Moon reports it is Firefox 68, and Pale Moon is not Firefox. It should be challenged, and is being challenged.

I don’t think we’re going to get anywhere with this discussion and it’s quickly devolving into more negativity so I think it’s best we leave it here. The issues at hand with this browser have been explained and the onus is on the maintainers of that browser to fix the issue.


Since very recently,users of Pale Moon (and several other browsers) have reported that the “Browser integrity check” ends up in a reload loop.
This was already reported here in Browser Integrity Check broken but that topic was unfortunately locked before I (the Pale Moon lead dev) was even made aware of it, let alone could reply to it. The logic there is incorrect as regards user agents, user agent sniffing and how we can (not!) mitigate this on the browser side for many thousands of websites that use Cloudflare and may have activated this check in the Cloudflare dashboard.

I also contacted Cloudflare support about this but was basically sent on my way unless I “display the problem under my own account” or “own domains”, meaning I would not be able to have Cloudflare even acknowledge the issue unless and until I deliberately break access to my own sites to demonstrate the point… what weird demand is that !?..

Pale Moon always identifies with a PaleMoon/{version} in its user-agent string, unless a website specifically breaks due to its own UA sniffing practices and being discriminatory against any browser not exactly identifying itself in a specific way as a mainstream browser/vendor; the Firefox/xx.xx part is there for compatibility reasons only, as without it, many more sites will cause problems by not recognizing the UA and often even just flat-out refusing access from independent browsers or sending broken fallback code (for e.g. ancient Internet Explorer quirks). Pale Moon has 3 modes for its UA, all of which identify with PaleMoon/{version} and vary other parts for various levels of webcompat.

Just because we indicate a lower version of Firefox as compatibility (to try and avoid broken feature detection since our feature set is different and we’re forced to try and find a “lowest common denominator” here) does not mean we base the browser on an old Firefox version and are just a rebuild. Pale Moon uses the UXP platform and Goanna engine, both hard forks (of mozilla-central and Gecko, respectively) from Mozilla for years with individual development, updated security, and enhanced feature sets that are much more modern than what the UA sniffing “dumb check” thinks. There are many articles out there indicating why UA sniffing is a bad idea, including this article on Mozilla’s own site: Browser detection using the user agent - HTTP | MDN

I’ve also long since had a post up on our forum detailing how our UA string is generally built up if not site-specifically overridden. Developers: What do I need to know about Goanna? - Pale Moon forum

It’s obviously not possible for us to make site-specific UA overrides for every website that uses Cloudflare and enables the browser integrity check function. Something as easily spoofed as a UA should also never be used to check integrity, that’s just folly. It’s already bad enough that it’s being used for feature detection instead of, you know, feature detection itself.

Spoofing a user-agent to something that passes your “integrity check” is trivial, also for genuinely bad clients and if you insist on using it as an integrity check then you must at all times keep a full and updated list of all “valid” clients; this is one of the big pitfalls using UA checks and even then won’t do anything against “perfect spoofers” (bad clients presenting a perfect matching UA) – this has been one of the main issues with sniffing the user agent as a practice… for decades already. Please don’t turn back the clock.

Bottom line is: your approach is now breaking use of Cloudflare-backed websites based on an arbitrary UA check for many websites, and it feels like flat out discrimination and trying to enforce a full monoculture on all Cloudflare users.


I have to agree with @awz3oefwdrxnog2 on this matter. BIC needs to support compatibility modes used by numerous browsers and shouldn’t rely entirely on the user agent.

I also request that the MVP stop marking topics as solved when they are not solved, I’ve had this happen many times before too. Please don’t lock this discussion either as I wrote up a big response earlier today and then suddenly I couldn’t post it. Time wasted

First, can a mod please remove the solved status from this thread? It is very much not solved and the “solution” is anything but that.

I think you overlooked my post where I set it to native mode, which turns off the “impersonating,” and it still didn’t work:

While we’re on the subject of “impersonating another browser” let’s take a look at Chromium, a browser you specifically mentioned. Here’s the user agent it’s sending:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

Oh, look, it’s impersonating Safari. Chromium is not Safari, so it should be blocked for forging a user agent, right? NOPE! It goes right through the check on and even does so with JavaScript disabled! So this is absolute proof that Cloudflare is favoring browsers with a Chrome engine and discriminating against smaller and more privacy-friendly browser projects.

Before you bring up “just use Chromium” again, I don’t use Chromium because there are things I can control in Pale Moon that, by design, can’t be controlled in Chrome/Chromium. Fine-grained script blocking, for example, is prone to failure in Chrome/Chromium whereas Firefox and Pale Moon can do that without issue. Ad blockers are also less effective on Chrome/Chromium than on Firefox/Pale Moon.

I’ll end with this: how can you possibly verify that the user agent string sent by a browser is not forged without omniscience? Does Cloudflare really claim to know the inner workings of EVERY web browser ever developed? The user agent is, as you’ve said, very easily modified. It’s also the first thing a bot developer will forge. Therefore, anyone relying on it for any reason whatsoever is a fool at best and malicious at worst. The only proper thing to do with the user agent is discard it as untrustworthy, not use it as a test to foolishly try to determine if a connection comes from a “legitimate browser.”

1 Like

So, rather than digging deeper into the browser integrity thing per se, wouldn’t it be possible for cases like these (uncommon/older browsers) to just trigger a captcha instead? I wouldn’t mind solving some captchas to be able to get to all my sites in my “non standard” browser that started having this problem recently. I have no desire to switch to a more popular browser if it lacks the power-user features of my preferred browser.

(Meanwhile, I’m an actual human browsing to the site, so not sure how the site owner will benefit from me visiting it less and thus getting fewer ad impressions, and this was clearly a CF change affecting multiple sites, rather than multiple sites coincidentally deciding to change their settings all at once.)

1 Like

So, Cloudflare only accepts browsers who support all the standards and drafts big companies like Google throws into the wild.

Browsers who are not supporting them or only parts of them are not allowed to pass the Cloudflare check.

This is outright criminal and highly disgusting as nobody - not even Cloudflare - has the right to decide that you have to support ALL webstandards to enter Cloudflare protected pages.

What in all purgatories is wrong with this company?

1 Like

That might be the case in the future as Managed Challenges (which include a ‘interaction’ slow path) become more popular & used across Cloudflare’s suite.

Those challenges include, but are not limited to, proof-of-work, proof-of-space, probing for web APIs, and various challenges for detecting browser-quirks and human behavior.

I’ll echo what’s already been said several times before in this thread since people can’t seem to understand how to be reasonable & seem to want to get their own thread to fix their own issue locked again.

As an aside, maybe the rest of the ‘Pale Moon’ forum should take note as well since coming here and posting messages that serve no purpose but to call Cloudflare ‘criminal’ or ‘malicious’ will get it locked for brigading. That isn’t going to help your cause, is it?

Provide constructive feedback, say what does and doesn’t work, not baseless claims about ‘web standards’ and ‘monoculture’ which you have absolutely no idea about other than the fact your browser gets stuck on a single challenge page.

The only useful post has actually come from the developer, the rest of you are just trying to throw fuel to the fire making random, arbitrary claims.

Here’s the Cloudflare Community FAQ which includes the community guidelines: FAQ - Cloudflare Community

You’re on a community forum, one that is provided to you for free and is also where the vast majority of free plan users who wouldn’t typically get access to Cloudflare support can have their issue resolved by other members of the community or, beyond what their plan entitles them to, even have their closed tickets re-opened & escalated into a special queue.

You are not owed support, you are not owed a direct contact to someone at Cloudflare and you should be going through the standard support flow to report issues with users accessing your site.

Do you think that anyone from Cloudflare is going to go out of their way to offer you assistance when more than half of this post is ranting ‘at best’ and calling their livelihoods criminal & disgusting ‘at worse’?

If you’re having a genuine issue that’s impacting lots of users, it’s in everyone’s best interest to resolve it - and you’ve done nothing to help that, you’re only trying to get it closed before anyone can look into it.

1 Like

Sorry to say but it is malicious behavior - Cloudflare DOES Feature detection for all the modern web standards and drafts and DOES discriminate against browsers who are not supporting them or have limited support for them. That is clearly wrong and as stupid as discriminating against certain user agents.

The fact that it does not matter which user agent you use in Pale Moon shows clearly that my comment is fully valid. Cloudflare rejects browsers which are not supporting most standards or drafts which are considered recent.

But this should not be the job of Cloudflare which only is an in-between security layer - this should be done by the webpages in question directly.

And the fact that Cloudflare shows such anti competitive behavior which only favors and supports recent Chrome, Firefox or Safari browsers is highly shady at least and criminal at most.

At least there should be a fall-back layer…

For browsers which are unable to support most modern drafts and standards perhaps in the form of an oldskool captcha which does not require feature detection - something Pale Moon cant satisfy as it is a small browser with a small developer team which which has a hard time to implement Chrome or Firechrome(fox) optimized web-standards and drafts - so they are also able to pass the Cloudflare security layer without getting straight forward refused to view the webpages in question.

Fails BIC:
Pale Moon 29.4.6 (April 2022)
Firefox 54.0 (June 2017)

Passes BIC:
Fiefox 78.0.1 (July 2020)
Opera 63.0.3368.107 (October 2019)
Chrome 77.0.3834.0 (June 2019)
Vivaldi 1.12.955.36 (September 2017)
iOS 12.3 (November 2018)

Considering Firefox’s 2017 version doesn’t work but Vivaldi’s 2017 version does, I don’t particularly understand the narrative around this whole ‘only the top 3’ or ‘latest web standards’.

Three browsers have been out-of-date for nearing 3 years or more seem to pass it fine - you’d think that if Cloudflare were enforcing ‘all’ web standards then these wouldn’t work.

The internet can’t continue to cater to ancient browsers - regardless of your qualms with Cloudflare, hCaptcha isn’t going to support you even if Cloudflare did serve you with a captcha. Frequently Asked Questions | hCaptcha