Browser doesn't pass Cloudflare captcha if extension enabled

[K4sum1]

Description

Cloudflare captcha always fails with the extension enabled. DDOS check is infinite loop if enabled.

Expected Behaviour

It should pass both and just work.

Current Behaviour

It just doesn't work.

Possible Solution

The issue seems to go away if I set Canvas API to nothing. I think this invalidates the point of a "CanvasBlocker" though. Maybe whitelisting Cloudflare would be a idea. I added challenges.cloudflare.com to the whitelist and it works.

Steps to Reproduce (for bugs)

1. create a fresh Firefox profile
2. Install extension (You don't need to even touch the install page, but I also tried with Convenient settings and reCAPTCHA exception)
3. Navigate to site that uses Cloudflare captchas or DDOS protection. Easy places to test are https://users.nexusmods.com/auth/sign_in for captcha and http://saucenao.com/edit.php for DDOS check.
4. Try to see if you can pass.

Context

It affects any website that uses Cloudflare.
Tried it in a VM with a fresh install.

Your Environment

• CanvasBlocker Version used: 1.10.1
• Firefox version incl. 32- or 64-bit: 126.0 64 bit (Also tried 115.10 64 bit)
• Operating System and version (desktop or mobile): Windows (Desktop)
• Installed addons: CanvasBlocker

Your Settings

{
	"logLevel": 1,
	"urlSettings": [
		{
			"url": "mail.google.com",
			"protectDOMRect": false
		},
		{
			"url": "onedrive.live.com",
			"protectDOMRect": false
		},
		{
			"url": "^https://[^/]*ebay\\.([a-z]+|com\\.(au|hk|my|sg)|co\\.uk)(/|$)",
			"protectDOMRect": false
		},
		{
			"url": "paypal.com",
			"protectWindow": false
		},
		{
			"url": "dhl.de",
			"protectWindow": false
		}
	],
	"hiddenSettings": {},
	"expandStatus": {},
	"displayHiddenSettings": false,
	"whiteList": "",
	"sessionWhiteList": "",
	"blackList": "",
	"blockMode": "fake",
	"protectedCanvasPart": "readout",
	"minFakeSize": 1,
	"maxFakeSize": 1000000,
	"rng": "nonPersistent",
	"protectedAPIFeatures": {},
	"useCanvasCache": true,
	"ignoreFrequentColors": 0,
	"minColors": 0,
	"fakeAlphaChannel": false,
	"webGLVendor": "",
	"webGLRenderer": "",
	"webGLUnmaskedVendor": "",
	"webGLUnmaskedRenderer": "",
	"persistentRndStorage": "",
	"persistentIncognitoRndStorage": "",
	"storePersistentRnd": false,
	"persistentRndClearIntervalValue": 0,
	"persistentRndClearIntervalUnit": "days",
	"lastPersistentRndClearing": 1716016579098,
	"sharePersistentRndBetweenDomains": false,
	"askOnlyOnce": "individual",
	"askDenyMode": "block",
	"showCanvasWhileAsking": true,
	"showNotifications": true,
	"highlightPageAction": "none",
	"highlightBrowserAction": "color",
	"displayBadge": true,
	"storeNotificationData": false,
	"storeImageForInspection": false,
	"ignoreList": "",
	"ignoredAPIs": {},
	"showCallingFile": false,
	"showCompleteCallingStack": false,
	"enableStackList": false,
	"stackList": "",
	"protectAudio": true,
	"audioFakeRate": "100",
	"audioNoiseLevel": "minimal",
	"useAudioCache": true,
	"audioUseFixedIndices": true,
	"audioFixedIndices": "9",
	"historyLengthThreshold": 2,
	"protectWindow": false,
	"allowWindowNameInFrames": true,
	"protectDOMRect": true,
	"domRectIntegerFactor": 4,
	"protectSVG": true,
	"protectTextMetrics": true,
	"blockDataURLs": true,
	"protectNavigator": false,
	"navigatorDetails": {},
	"protectScreen": true,
	"screenSize": "",
	"fakeMinimalScreenSize": true,
	"displayAdvancedSettings": true,
	"displayDescriptions": false,
	"theme": "auto",
	"showPresetsOnInstallation": true,
	"dontShowOptionsOnUpdate": false,
	"disruptSessionOnUpdate": false,
	"updatePending": false,
	"isStillDefault": false,
	"storageVersion": 1
}

[spodermenpls]

That's kinda odd, I've encountered at least the Cloudflare DDoS protection on a pretty regular basis in the near past, and never had an issue in conjunction with CanvasBlocker being active, so far. The two examples you noted aren't working on my end either, though.

[K4sum1]

This would've happened like today. I noticed it today and just chalked it up to funny main browser config until I needed to access a page, tried trusty ESR, and saw same there.

[K4sum1]

Btw Privacy Badger seems to cause the same issue too if you use crowd sourced blocking. So if you're testing this in a config with a bunch of addons there might be another causing this problem in your browser as well. I wasn't able to get a whitelist working for Privacy Badger.

[spodermenpls]

@K4sum1 I've just checked it on the last site that I remembered using "Cloudflare access control", the same problem occurs there too, so this is pretty certainly a recent change on Cloudflare's part. I don't use Privacy Badger, but uMatrix.

Whitelisting the Canvas API protection for challenges.cloudflare.com (in the "APIs" tab of the CB settings, by clicking the small black arrow to expand the Canvas API's site-specific settings, typing/pasting the URL in the text field and clicking the "+" symbol, and then choosing "nothing" in the corresponding drop-down menu) makes it work again, without whitelisting more than (for now) necessary.

[swebow]

Work around solution.

Go to : challenges.cloudflare.com
Click the "Fingerprint" (canvas blocker) and click "Canvas blocker off" so it's a red X on it and becomes a grey finger print.

Tried 2 sites that I knew gave me issues and problem solved now.

Addium: Also tried to reset Canvas Blocker to factory default and try it again with just Standard preset and reCAPTCHA applied. Then did this work aroud.

Example below:

[spodermenpls]

@swebow Deactivating CanvasBlocker for the entire challenges.cloudflare.com is more than necessary, only disabling the Canvas API protection is the minimally invasive procedure. I made a screenshot of how it is supposed to look like (albeit in German, the location of everything is the same with every locale), since handling CanvasBlocker's settings is not the most intuitive thing in the world (but one gets used to it, once one knows how it works):

[satonotdead]

@K4sum1 I've just checked it on the last site that I remembered using "Cloudflare access control", the same problem occurs there too, so this is pretty certainly a recent change on Cloudflare's part. I don't use Privacy Badger, but uMatrix.

Whitelisting the Canvas API protection for challenges.cloudflare.com (in the "APIs" tab of the CB settings, by clicking the small black arrow to expand the Canvas API's site-specific settings, typing/pasting the URL in the text field and clicking the "+" symbol, and then choosing "nothing" in the corresponding drop-down menu) makes it work again, without whitelisting more than (for now) necessary.

I can confirm that's working. Thanks!

[privacyguy123]

I noticed I have to whitelist this domain to pass it too.

[binary-zero-one]

Did anyone have any luck logging into Epic Games account? It doesn't use challenges.cloudflare.com, but it uses other hcaptcha resources. I've already allowed all APIs for www.epicgames.com, store.epicgames.com, newassets.hcaptcha.com, but after entering the email and passing the captcha, I get “Incorrect response”.
UPD. This login issue is nothing to do with CB. If the privacy.resistFingerprinting: true parameter is used, then adding "newassets.hcaptcha.com,www.epicgames.com,store.epicgames.com" to privacy.resistFingerprinting.exemptedDomains fixes the problem.

[Tenome]

Same issue.

[privacyguy123]

Did anyone have any luck logging into Epic Games account? It doesn't use challenges.cloudflare.com, but it uses other hcaptcha resources. I've already allowed all APIs for www.epicgames.com, store.epicgames.com, newassets.hcaptcha.com, but after entering the email and passing the captcha, I get “Incorrect response”.

I think this issue was occurred by History API. Try to change its value to something more than 3.

Different problem that needs a new issue opened, but this didn't fix it on my side however turning off FireFoxs "Enhanced Protection" for the site does. I have noticed this breaking multiple sites now which is sad to see, because as far as I know it's the recommended option to have it turned on.