Cloudflare blocking external javascript file on one page only

Security Access
#1

Newb to Cloudflare Community here. Hope I’m in the right place!

We’ve got two similar pages on our site, one to sell tickets to a performance in Australia (https://metropolistouring.com), the other New Zealand (https://metropolistouring.com/newzealand). When I add the following code to the NZ page and try to save the edit, we get the page below (screenshot). Add the almost identical code (the ID# is different) to the Australian page and it saves successfully without Cloudflare blocking it.

Can anyone tell me how I can fix this? The problem appears to be with the tag at the end.

<div><h1 color="#000">Exclusive Pre Sale Access</h1><div><div><p>Sign Up for Your Access to the Exclusive Pre Sale 
Pre Sale begins 12pm Thursday 25th February</p></div><form class="js-cm-form" id="subForm" action="https://www.createsend.com/t/subscribeerror?description=" method="post" data-id="5B5E7037DA78A748374AD499497E309E9ED3FAA02A2E83BC59DAECC198CB6C5D1D4EE56875A7963A3B464C4922F0D5E01375D3F92225124F028AB8B5E22E8FD9"><div><div><label>Email </label><input autocomplete="Email" aria-label="Email" class="js-cm-email-input qa-input-email" id="fieldEmail" maxlength="200" name="cm-bottjl-bottjl" required="" type="email"></div></div><button type="submit">Sign Up</button></form></div></div><script type="text/javascript" src="https://js.createsend1.com/javascript/copypastesubscribeformlogic.js"></script>

Screenshot_2021-02-23 Attention Required Cloudflare
Screenshot_2021-02-23 Attention Required Cloudflare1764×1115 43 KB

Thanks (hopefully) in advance,

Simon

#2

I’d assume you are being blocked by WAF. Check the firewall event log and what exactly blocks these requests. Then you can disable or adjust the rule in question.

#3

Thanks! Yes, looks like that’s what it is, I can see it in the logs. But I added a rule to allow ( (http.request.uri contains “/newzealand/wp-admin/post.php”) ) but it still didn’t allow the script and the submitting the page was blocked again. Here’s the diagnostic stuff

image
image1457×789 53.7 KB

Anything in there that looks awry?

#4

Firewall rules do not reach into WAF and you’d need to disable that rule itself. The only thing you can do with firewall rules in this context is skip WAF altogether.

image
image1044×362 9.73 KB

#5

Disabling it would be on page 27 of Cloudflare Specials (is Cloudflare running a restaurant now? :wink:)

image
image952×59 1.85 KB

#6

Well, if a bookseller can offer cloud computing… :laughing:

Thank you so much! that’s got it working. Any idea why Cloudflare FW would block it on one page, but not another? I’m not necessarily thinking anyone outside of CF would know…

#7

Oh…you may have already answered that! Sorry…tired. It’s getting late here in Sydney

#8

Good point :smile:

Depends on the rule and what you sent.

You said the only difference was the value of data-id, right? And the value where it got block was

5B5E7037DA78A748374AD499497E309E9ED3FAA02A2E83BC59DAECC198CB6C5D1D4EE56875A7963A3B464C4922F0D5E01375D3F92225124F028AB8B5E22E8FD9
#9

Yep, that’s the only difference.

#10

That would seem like a regular hex string and I wouldn’t really expect it to throw an XSS error. I am afraid there is little information available on the details of how each of the managed rules work and that’s something only a Cloudflare engineer with the right access could check (possibly not even support). If you want to check this further you’d have to open a support ticket and they can hopefully pass that on to someone who could check.

#11

If it happens again, I’ll dig deeper…got enough on my plate as it is.

Thanks so much for the help. It was big. The help that is. :clap:

1 Like
#12

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.