Hi, I’ve just started using Cloudflare and I have a question.
I understand that if www.example.com is proxied, and an IP seems suspicious, Cloudflare will issue a challenge that can be a javascript test or captcha. This has happened to me personally some times before when I tried to access webpages.
However, what happens if www.example.com is not proxied, but in the webpage there’s an img element whose src is in a proxied domain?
<img src="http://proxied.example.com/cats.jpg">
What would the user see in this case? Would the image just fail to load?
I have all my images on one subdomain, but the articles that use those images are in a different subdomain. Would it make sense to use a page rule to disable security on the images until I enable Cloudflare on the articles’ subdomain?
But how would the challenge work in practice? As I’ve mentioned previously, I’ve personally been “challenged” with captchas before, and I’m not a bot. Since I was accessing HTML pages, I could pass the challenges, but what happens when cloudflare tries to serve a challenge to an user accessing an embedded image?
I don’t know for sure, but I think you can’t serve javascript through an img tag, so I’m not sure how the challenge would work out, and how would a legitimate user become able to access the proxied content in this case.