[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] CloudFlare one site, multiple domains problem

Hash: SHA512

Delton Barnes wrote:
> Hello,
> There is a forum website I frequent in Tor Browser that uses two 
> CloudFlare domains. One (say "example.com") is the main website,
> and the other (say "example.org") provides static content such as
> images and JavaScript.
> A CloudFlare CAPTCHA is almost always presented when accessing 
> example.com. After completing it, example.com loads fine, but all 
> requests to example.org get a 403 response (as observed in Network
> tab of Developer Toolbar). The result is the forum is unusable.
> Strangely, if I manually enter any of the individual example.org
> URLs that received a 403 response in the same tab, they load fine
> (200 response).
> Has anyone encountered this problem? If so, is there a good
> workaround? Usually I switch Tor circuits until I get one that does
> not block example.org.

I have encountered this problem regularly, e.g. with HackerOne. The
problem is that CloudFlare does not recognize the common session
across the distinct domains, assumes that the requests to example.org
are different to those from example.com, and returns a CAPTCHA. But
you can't solve a CAPTCHA for an image URL loaded inside a page >_>

If you were actually requesting example.org, you would see the CAPTCHA
page. But because the Tor Browser Bundle uses a new circuit per domain
name (in the tab's URL bar), you can't just open example.org in a new
tab, solve the CAPTCHA, and then reload example.com, because the
example.org CAPTCHA is associated with a different Tor circuit.

I have notified the websites I have had this problem with, as well as
CloudFlare, but until they provide some way for server operators to
"link" domains together, so a request from an IP to example.com (that
has had a CAPTCHA solved) followed by a request from that IP to
example.org is recognized as the same session, then there isn't much
that can be done.

A possible workaround would be for Tor Browser to include an option
that allows users to "open all CAPTCHAs on this page". It could look
for all unique domains within a page, and open a tab (or pop-up
window) for each through the same circuit. That would allow users to
authenticate that site's Tor circuit with CloudFlare for all domains
the site uses. But this would probably need to be repeated each time
the circuit changes (like the CAPTCHAs already need to be).


> Unfortunately I cannot share the website as doing so could identify
> me. Also, I have been unsuccessful getting the administrator to
> whitelist Tor (e.g., by using recently publicized GitHub script).
> Thanks, Delton

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to