Cloudflare blocking external javascript file on one page only

Newb to Cloudflare Community here. Hope I’m in the right place!

We’ve got two similar pages on our site, one to sell tickets to a performance in Australia (https://metropolistouring.com), the other New Zealand (https://metropolistouring.com/newzealand). When I add the following code to the NZ page and try to save the edit, we get the page below (screenshot). Add the almost identical code (the ID# is different) to the Australian page and it saves successfully without Cloudflare blocking it.

Can anyone tell me how I can fix this? The problem appears to be with the tag at the end.

<div><h1 color="#000">Exclusive Pre Sale Access</h1><div><div><p>Sign Up for Your Access to the Exclusive Pre Sale 
Pre Sale begins 12pm Thursday 25th February</p></div><form class="js-cm-form" id="subForm" action="https://www.createsend.com/t/subscribeerror?description=" method="post" data-id="5B5E7037DA78A748374AD499497E309E9ED3FAA02A2E83BC59DAECC198CB6C5D1D4EE56875A7963A3B464C4922F0D5E01375D3F92225124F028AB8B5E22E8FD9"><div><div><label>Email </label><input autocomplete="Email" aria-label="Email" class="js-cm-email-input qa-input-email" id="fieldEmail" maxlength="200" name="cm-bottjl-bottjl" required="" type="email"></div></div><button type="submit">Sign Up</button></form></div></div><script type="text/javascript" src="https://js.createsend1.com/javascript/copypastesubscribeformlogic.js"></script>

Thanks (hopefully) in advance,

Simon

I’d assume you are being blocked by WAF. Check the firewall event log and what exactly blocks these requests. Then you can disable or adjust the rule in question.

Thanks! Yes, looks like that’s what it is, I can see it in the logs. But I added a rule to allow ( (http.request.uri contains “/newzealand/wp-admin/post.php”) ) but it still didn’t allow the script and the submitting the page was blocked again. Here’s the diagnostic stuff

Anything in there that looks awry?

Firewall rules do not reach into WAF and you’d need to disable that rule itself. The only thing you can do with firewall rules in this context is skip WAF altogether.

Disabling it would be on page 27 of Cloudflare Specials (is Cloudflare running a restaurant now? :wink:)

Well, if a bookseller can offer cloud computing… :laughing:

Thank you so much! that’s got it working. Any idea why Cloudflare FW would block it on one page, but not another? I’m not necessarily thinking anyone outside of CF would know…

Oh…you may have already answered that! Sorry…tired. It’s getting late here in Sydney

Good point :smile:

Depends on the rule and what you sent.

You said the only difference was the value of data-id, right? And the value where it got block was

5B5E7037DA78A748374AD499497E309E9ED3FAA02A2E83BC59DAECC198CB6C5D1D4EE56875A7963A3B464C4922F0D5E01375D3F92225124F028AB8B5E22E8FD9

Yep, that’s the only difference.

That would seem like a regular hex string and I wouldn’t really expect it to throw an XSS error. I am afraid there is little information available on the details of how each of the managed rules work and that’s something only a Cloudflare engineer with the right access could check (possibly not even support). If you want to check this further you’d have to open a support ticket and they can hopefully pass that on to someone who could check.

If it happens again, I’ll dig deeper…got enough on my plate as it is.

Thanks so much for the help. It was big. The help that is. :clap:

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.