Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#21749 closed defect (fixed)

Reported by: globos Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website, ff52-esr-will-have, cloudflare
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The Tor browser won't display the last bid/ask items on the landing homepage
Temporarily allowing all scripts didn't help.
Plain Firefox 52.0 displays the page just fine.

Note: might not be using CloudFlare anymore, because I no longer see captchas when I get there through Tor (which I used to).

Child Tickets

Change History (9)

comment:1 Changed 4 years ago by nickm

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 4 years ago by gk

Keywords: tbb-usability-website added

We are getting things like

GET XHR [HTTP/1.1 403 Forbidden 298ms]

Not sure why it is forbidden with Tor, though.

comment:3 Changed 4 years ago by globos

I've noticed that with this defect the site is completely unusable for trades. Even after you log in, the script that calculates the amount (number of bitcoins * unit price) doesn't work, and the button to confirm a trade (buy/sell) never appears. Enabling scripts in NoScript unfortunately doesn't help.

This defect, which apparently is connected with the bug in this ticket, appeared about a couple of weeks ago, which was before Tor Browser was updated - so it probably isn't related to this specific version of the Tor Browser.

comment:4 Changed 4 years ago by gk

Keywords: ff52-esr added

Interestingly, it seems to work with my pre-built ESR52-based Tor Browser. Tracking this for our switch as it either means there is something wrong with one of our patches or the problem is fixed with ESR52.

comment:5 Changed 4 years ago by keyser

I have a very similar problem when attempting to access Used to get a CAPTCHA up front before login, now I don't get a CAPTCHA on my way in, but I DO get 403 errors here and there on the site, just enough to make it unusable. I'm running the Tor Browser 6.5.1 (Firefox 45.8.0). I noticed the problem March 10.

If I switch to Chrome I get the CAPTCHA as before and that site works fine.

I also switched to Chrome to post this message, after about five CAPTCHA failures in a row just now, which may be an additional bit of useful data.

Last edited 4 years ago by keyser (previous) (diff)

comment:6 in reply to:  2 Changed 4 years ago by cypherpunks

Replying to gk:

We are getting things like

GET XHR [HTTP/1.1 403 Forbidden 298ms]

Not sure why it is forbidden with Tor, though.

Cloudflare again. Full response is

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<title>Attention Required! | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>
<!--[if lte IE 9]><script type="text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script><![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script>

  <div id="cf-wrapper">
    <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
    <div id="cf-error-details" class="cf-error-details-wrapper">
      <div class="cf-wrapper cf-header cf-error-overview">
        <h1 data-translate="challenge_headline">One more step</h1>
        <h2 class="cf-subheadline"><span data-translate="complete_sec_check">Please complete the security check to access</span></h2>
      </div><!-- /.header -->

      <div class="cf-section cf-highlight cf-captcha-container">
        <div class="cf-wrapper">
          <div class="cf-columns two">
            <div class="cf-column">
              <div class="cf-highlight-inverse cf-form-stacked">
                <form class="challenge-form" id="challenge-form" action="/cdn-cgi/l/chk_captcha" method="get">
  <script type="text/javascript" src="/cdn-cgi/scripts/cf.challenge.js" data-type="normal"  data-ray="341986cc39f275f4" async data-sitekey="6LfBixYUAAAAABhdHynFUIMA_sa4s-XsJvnjtgB0"></script>
  <div class="g-recaptcha"></div>
  <noscript id="cf-captcha-bookmark" class="cf-captcha-info">
    <div><div style="width: 302px">
        <iframe src="" frameborder="0" scrolling="no" style="width: 302px; height:422px; border-style: none;"></iframe>
      <div style="width: 300px; border-style: none; bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px; background: #f9f9f9; border: 1px solid #c1c1c1; border-radius: 3px;">
        <textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid #c1c1c1; margin: 10px 25px; padding: 0px; resize: none;"></textarea>
        <input type="submit" value="Submit"></input>


            <div class="cf-column">
              <div class="cf-screenshot-container">
                <span class="cf-no-screenshot"></span>
          </div><!-- /.columns -->
      </div><!-- /.captcha-container -->

      <div class="cf-section cf-wrapper">
        <div class="cf-columns two">
          <div class="cf-column">
            <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2>

            <p data-translate="why_captcha_detail">Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.</p>

          <div class="cf-column">
            <h2 data-translate="resolve_captcha_headline">What can I do to prevent this in the future?</h2>

            <p data-translate="resolve_captcha_antivirus">If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.</p>

            <p data-translate="resolve_captcha_network">If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.</p>
      </div><!-- /.section -->

      <div class="cf-error-footer cf-wrapper">
    <span class="cf-footer-item">Cloudflare Ray ID: <strong>345678cc123455f4</strong></span>
    <span class="cf-footer-separator">&bull;</span>
    <span class="cf-footer-item"><span data-translate="your_ip">Your IP</span>:</span>
    <span class="cf-footer-separator">&bull;</span>
    <span class="cf-footer-item"><span data-translate="performance_security_by">Performance &amp; security by</span> <a data-orig-proto="https" data-orig-ref="" id="brand_link" target="_blank">Cloudflare</a></span>
</div><!-- /.error-footer -->

    </div><!-- /#cf-error-details -->
  </div><!-- /#cf-wrapper -->

  <script type="text/javascript">
  window._cf_translation = {};


comment:7 Changed 4 years ago by gk

Keywords: ff52-esr-will-have added; ff52-esr removed

So, this works in a Firefox 52 based Tor Browser because there you get redirected differently. More importantly, you get the usual Cloudflare experience (that is a CAPTCHA is greeting you) and after solving that one you proceed to the properly working bitcoin page.

Now, the reason for the different redirect is that the ESR 52 sends: Accept-Encoding: gzip, deflate, br and the ESR 45 just Accept-Encoding: gzip, deflate. This seems to me a bug in the Cloudflare setup. They have probably just forgotten that there are still folks out there using ESR 45 and are exposed to the CAPTCHAs.

We can't fix that easily on our side as not sending the Brotli support was explicitely done for ESR 45: as backporting a security fix was deemed too risky.

I hope to get hold of some Cloudflare folks this week who might be able to check at least whether that is really a Cloudflare bug.

comment:8 Changed 4 years ago by gk

Resolution: fixed
Status: newclosed

That got fixed on Clouadflare's side. Thanks to all who helped here.

comment:9 Changed 3 years ago by gk

Keywords: cloudflare added
Note: See TracTickets for help on using tickets.