Managed Challenge fails in Tor Browser resulting in infinite loop
What steps have you taken to resolve the issue?
I have tested various WAF Custom Rule Challenges and all result in an infinite loop. I have inspected the console and network tabs of developer tools. The site works with the rule set to skip but shows blocked with the rule disabled (no matter the circuit). I have a har file I can provide as well. I see a lot of CORS notifications which I suspect might have something to do with things.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
Create a custom rule in WAF settings to (ip.geoip.continent eq "T1") == Managed Challenge
That’s interesting. I looked at the logs and see you did indeed get served via the h2-alt-svc. Connection was tagged with Continent T1 (I also saw you check out the direct .onion). The site does have onion routing enabled via the dashboard and hence the T1 tag.
I don’t know what would cause my instance of Tor Browser to not cooperate and pass the check as it is simply the standard debian package. Tested with security settings on both ‘default’ and ‘safer’. But it is good to know that it works for some?
Hmm that could be true, but the binary is self updating and reports version 13.0.16 which seems to be the latest.
What is interesting is I connected my iPhone to tor (via orbot) and then attempted to load the page. Initially I had the same infinite challenge. But then I disabled ‘lockdown mode’ for the page and it successfully completed the challenge and loaded the page over tor.
It’s hard to know what features of the browser ‘lockdown mode’ affects exactly here but it makes me think you could be on to something with the debian packaging if the noscript rules are bound to the package? Just taking a WAG here lol
Well, I found a solution. I combined my existing managed challenge rule with a check against the Threat Score.
continent = T1
and
threat score > 5
This was enough to allow my instance of Tor Browser through without having to solve a challenge. Ideally I’d challenge all traffic, but if it’s broken for some browsers, might as well let the safe ones through without it.
Since this happened. I now can pass a managed challenge on Tor Browser, but still fail via Mullvad Browser until i drop security down to standard instead of “Safer” and on iOS Safari until turning off “Lockdown Mode”.
The issue is clearly with the turnstile widget for the Managed Challenge pages. Is there any way to report / raise this ticket to Cloudflare? I can’t seem to find a way as it steers to these forums.
This is a technical issue with Cloudflare’s services (not site configuration) that I believe would be affecting users globally (albeit a smaller more security oriented subset).
