What happens when an <img> hit gets a challenge?

Hi, I’ve just started using Cloudflare and I have a question.

I understand that if www.example.com is proxied, and an IP seems suspicious, Cloudflare will issue a challenge that can be a javascript test or captcha. This has happened to me personally some times before when I tried to access webpages.

However, what happens if www.example.com is not proxied, but in the webpage there’s an img element whose src is in a proxied domain?

<img src="http://proxied.example.com/cats.jpg">

What would the user see in this case? Would the image just fail to load?

I have all my images on one subdomain, but the articles that use those images are in a different subdomain. Would it make sense to use a page rule to disable security on the images until I enable Cloudflare on the articles’ subdomain?

Since the client would request the proxied domain it should be protected. Just ensure that there are no relative paths.

But how would the challenge work in practice? As I’ve mentioned previously, I’ve personally been “challenged” with captchas before, and I’m not a bot. Since I was accessing HTML pages, I could pass the challenges, but what happens when cloudflare tries to serve a challenge to an user accessing an embedded image?

I don’t know for sure, but I think you can’t serve javascript through an img tag, so I’m not sure how the challenge would work out, and how would a legitimate user become able to access the proxied content in this case.

My understanding is that you’re asking what happens if you trigger a challenge with a request that isn’t the main document. We can test it out:

https://firewall.m.workers.dev/test/chl-sub-req

Which shows that the request will get blocked and you’d need to get the clearance directly from the linked domain.

3 Likes

Thanks for confirming my guess. :slight_smile:

1 Like

I see. I was afraid this would be the case. Thanks.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.