user.js: RFP causes Cloudflare to loop infinitely [bugzilla 1735193]

Issue

Enabling privacy.resistFingerprinting (RFP) makes it impossible to pass Cloudflare DDOS check

How

  1. Create fresh profile and only enable above mentioned config, no add-ons or other configurations
  2. Visit either https://sendspace.com/ or https://steamdb.info/app/730/

Expected Result

Page redirects only once as usual, proceeding to desired website

Observed Result

Page repeats the check indefinitely, making website inaccessible

When

This started happening since some previous version, but not earlier than 89

Temporary Solution

Disabling privacy.resistFingerprinting resolves the issue, but I’d rather find a way to use it again

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 32 (20 by maintainers)

Most upvoted comments

  1. Visit https://gitlab.com/users/sign_in and make sure it works
  2. Clear cookies
  3. Set privacy.resistFingerprinting=true and visit https://gitlab.com/users/sign_in again, it is now broken.
  4. Reset RFP and clear cookies
  5. Visit https://gitlab.com/users/sign_in, it works again
  6. Clear cookies
  7. Now set dom.enable_resource_timing=false and visit https://gitlab.com/users/sign_in, it is broken again.
+4
rusty-snake on Sep 19, 2021

FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1735193

+2
Thorin-Oakenpants on Oct 12, 2021

same old story: https://old.reddit.com/r/firefox/comments/pt40os/firefox_beta_developper_cant_connect_to_gitlab/

+2
Thorin-Oakenpants on Sep 28, 2021

I have stopped using GitLab since they have introduced this malicious antifeature and continued the malicious behavior of migrating functionality from server-side implemented into client-side JavaScript.

+2
KOLANICH on Sep 22, 2021

so this means nothing can be done until Mozila fixes this bug

Was going to post was that RFP breaks web standards, that’s what all it’s protections do. When this happens, things can break. And apart from the obvious (e.g. utterly wrecked and randomized canvas), that timing is a usual suspect (and rusty-snake confirms this is the area to start looking at).

It’s not a question of when Mozilla can fix this, it’s a question of finding the exact cause and seeing if it’s feasible to do anything about it - i.e they wouldn’t want to weaken the timing mitigations.

cloudflare bugs

Some of those may be relevant, but it’s more likely a change in their protection code … I think what is happening is their code is ending too early (timers?) and causing a re-check. Have you lodged a bugzilla?

In the meantime, they only solution for these few sites, is to open them in a secondary browser/profile. You can install Nightly and Beta along stable, at least on Windows. I do not recommend toggling RFP as it is a global switch and mostly runtime (I don’t think anything requires a new session), so open tabs will lose protections and cause paradoxes and issues (such as workers can retain the original RFP instance, while the document doesn’t)

+2
Thorin-Oakenpants on Sep 19, 2021

So something changed at cloudflare? Cool. RFP still needs a jesus 👼 fix because anyone including cloudflare can always be assholes about it

+1
Thorin-Oakenpants on Oct 29, 2021

With JS allowed in uB and after a few seconds, the test pages load. (Of course with RFP). Cookies? https://sendspace.com/ https://steamdb.info/app/730/ https://gitlab.com/users/sign_in

+1
rusty-snake on Oct 29, 2021

@Thorin-Oakenpants jesus was listening 👼

+1
rusty-snake on Oct 29, 2021
Read more comments on GitHub
← user.js: reminder: revisit proxy direct failover
user.js: sticky: Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts →