Infinite loop on cloudflare check

[eirnym]

• Browser name and version: Firefox Developer Edition 118.0b5 (latest at the moment of writing the issue)
• Device (mobile or desktop): desktop
• Page where the issue happens: steamdb search

Describe the bug

How to reproduce:

1. Open a new temporary container (or clean private browsing)
2. Open steamdb.info website
3. never login (!)
4. search

I'm able to pass after cloudflare check on https://steamdb.info/login/ then I'm able to search... just once.

I'm able to pass after cloudflare check if I search anything. It seems, that steamdb script in some cases gets itself into an infinite loop and never finishes cloudflare check even if it succeeds. This loop is shown by increasing number of the same parameters in query string of the address. Below in spoilers is an example of such urls.

Important notes:

• Ray ID 8025ab030ec834d3 if it's relevant for an issue
• based on many forums (example) I'm not the only who encounter the issue.
• I have no issues to get into all other websites I visit where cloudflare is used like GitLab

search url at the beginning of the loop

``` https://steamdb.info/search/?a=app&q=scarf&__cf_chl_f_tk=uvkay.BDbO0m5xuOAQf0bThyMIVNd59of2cWgXsPgs8-1693992265-0-gaNycGzNCvs ```

search url at some point

``` https://steamdb.info/search/?a=app&q=scarf&__cf_chl_f_tk=uvkay.BDbO0m5xuOAQf0bThyMIVNd59of2cWgXsPgs8-1693992265-0-gaNycGzNCvs&__cf_chl_f_tk=DsLVGFljIxZyJSd7_gRbZbIhAjv5I1Oh6SwzvH7AED8-1693992267-0-gaNycGzNGBA&__cf_chl_f_tk=E1VPOMIkmBSvGTXBnPLsCri1iKzNMhBa8Nh9n3AxXZg-1693992268-0-gaNycGzNJhA&__cf_chl_f_tk=hKDDcpkafjbbgt6LF5bL7NkxisnbJ3tf1gAxw_Qw2Vw-1693992270-0-gaNycGzNNTs&__cf_chl_f_tk=k0kQ4sdRGkJtl673ngGqcgAbRt5wQJr9fYLpLfunPtw-1693992276-0-gaNycGzNRXs&__cf_chl_f_tk=jm1_tG0vlzUYJDmi50OM1yWr6uhcF4wv6Vme4xOke7M-1693992284-0-gaNycGzNVxA&__cf_chl_f_tk=v9_KuD9ZToghsUMFjUdVuwYI9hh.wgGnsRI83b0R3jA-1693992291-0-gaNycGzNadA&__cf_chl_f_tk=lJ3r9OfajMMcAp1xlYVz3zOMMnjWGq9hEm6lGjrZdIA-1693992292-0-gaNycGzNfdA ```

search url a little while later

``` https://steamdb.info/search/?a=app&q=scarf&__cf_chl_f_tk=uvkay.BDbO0m5xuOAQf0bThyMIVNd59of2cWgXsPgs8-1693992265-0-gaNycGzNCvs&__cf_chl_f_tk=DsLVGFljIxZyJSd7_gRbZbIhAjv5I1Oh6SwzvH7AED8-1693992267-0-gaNycGzNGBA&__cf_chl_f_tk=E1VPOMIkmBSvGTXBnPLsCri1iKzNMhBa8Nh9n3AxXZg-1693992268-0-gaNycGzNJhA&__cf_chl_f_tk=hKDDcpkafjbbgt6LF5bL7NkxisnbJ3tf1gAxw_Qw2Vw-1693992270-0-gaNycGzNNTs&__cf_chl_f_tk=k0kQ4sdRGkJtl673ngGqcgAbRt5wQJr9fYLpLfunPtw-1693992276-0-gaNycGzNRXs&__cf_chl_f_tk=jm1_tG0vlzUYJDmi50OM1yWr6uhcF4wv6Vme4xOke7M-1693992284-0-gaNycGzNVxA&__cf_chl_f_tk=v9_KuD9ZToghsUMFjUdVuwYI9hh.wgGnsRI83b0R3jA-1693992291-0-gaNycGzNadA&__cf_chl_f_tk=lJ3r9OfajMMcAp1xlYVz3zOMMnjWGq9hEm6lGjrZdIA-1693992292-0-gaNycGzNfdA&__cf_chl_f_tk=lLBLY14o06qEESgCmCqhRY31foOgka4Mf2CI1.PMGN4-1693992293-0-gaNycGzNkxA&__cf_chl_f_tk=CxRjiieqprmaDATznYMFcey4IeQ4qLjznlmSB.4HCoE-1693992295-0-gaNycGzNqdA&__cf_chl_f_tk=bHMiHeE3xPIHpd49G2UeridqLvljjOB.a.NbJDfClhk-1693992296-0-gaNycGzNweU&__cf_chl_f_tk=KDxjb4cn6ZStzrLXsynMmO3rvWPpIf2kW1qJZCvSF7k-1693992306-0-gaNycGzN25A&__cf_chl_f_tk=0aCfX5S36iHJUSv23VOBAQa14dUujkDJvUckv_rPwbk-1693992316-0-gaNycGzN9rs&__cf_chl_f_tk=gnOk_713wpicW0M0.kjQyO7ST3DBN8dK6Ouhwl5T7WA-1693992326-0-gaNycGzOAAETZQ&__cf_chl_f_tk=i4tYRvhvrN4PXqdDcvNryaRRYpiLDAg3Tx4zNxG2vDM-1693992331-0-gaNycGzOAAEx0A&__cf_chl_f_tk=TkC2xEwJRulYImG8xUC2M_3IpNr2nHNDtvsvQXnHmFM-1693992333-0-gaNycGzOAAFR0A&__cf_chl_f_tk=1jgBDSV8o9nZySf9J2LFgUJvJJr6enO3PyD.F9rtew8-1693992341-0-gaNycGzOAAFzpQ&__cf_chl_f_tk=KXDPdA6rBqL42gh413v4jFYw1idw90Lc5N.Ia6i6AtI-1693992351-0-gaNycGzOAAGXJQ&__cf_chl_f_tk=jp0YT_WAyfSjVZmeHfe05iXSkrH6j2Khd0.lJebAsa8-1693992359-0-gaNycGzOAAG8kA&__cf_chl_f_tk=heMaSmoBo9M.UTjFDrZWCafBKHo_GrkCmVI1_PCqflA-1693992361-0-gaNycGzOAAHj0A&__cf_chl_f_tk=qtqC_hgAj4TreNrrEYnyzVfBykhcDQPNyDGi0Q79Wy4-1693992364-0-gaNycGzOAAINJQ&__cf_chl_f_tk=wNHcSFE5nBYHOG0BKFSk5AdVpChm58j3sPwtg6LK_1A-1693992370-0-gaNycGzOAAI4ZQ&__cf_chl_f_tk=w7T5_L4AXxCZqnd621NxuSJRbKoxjxk7uNg8.OJM_OY-1693992378-0-gaNycGzOAAJlkA&__cf_chl_f_tk=S8js7_LbuEpfSqbTQAIhNBj8O6qK.bI4n1F4mkXnm6c-1693992388-0-gaNycGzOAAKU5Q&__cf_chl_f_tk=JynAIei9Q_YdUUKacx.iJF4kwYwSBE0H6MBluPM_NJw-1693992400-0-gaNycGzOAALGZQ&__cf_chl_f_tk=bCVSCylj7gpTvwPkPhGVKstIP0yfJSmjIuLAIKJ37Pk-1693992409-0-gaNycGzOAAL6JQ ```

[xPaw]

I cant reproduce this. Make sure to try without extensions and/or with a new fresh profile.

[eirnym]

As I wrote above, I able to pass the check on login page, then search once (and only once for me). Additionally, I have no issues with the same plugin set and same browser profile on any other web sites (and many of them are using cloudflare).

Thus, I believe problem is not in cloudflare code, but in code of steamdb code.

Too many users has been reported on this, as you see some of ray ids on ycombinator thread. Most of them are unable to open even login page. There reported only a small portion of actual users.

I reported the issue for you to verify the code if there's no small logic issues which could lead to such loop. I know, that code audit is a tedious task.

[xPaw]

But can you try it though? SteamDB doesn't have code that would cause extra encoding of urls (for & to appear), especially where it only affects you but not others.

And the challenge page has no steamdb javascript.

[eirnym]

Am I correct to say, that you believe the problem is on the cloudflare side?

[eirnym]

So you believe, that If I transfer all my settings to a new profile, I'll have a new result?

[xPaw]

I'm telling you to try a fresh profile without transferring any of the settings.

[eirnym]

If you say, that cloudflare is responsible for this infinite loop, please consider to report this to them. A normal user like me who have no webside behind cloudflare can't report for a random website about the problem. I supplied ray id which is enough for them to reproduce the problem.

[eirnym]

You can't reproduce, because you haven't enabled anti-fingerprinting settings in the browser. As other pages which require cloudflare like login page on steamdb can pass the cloudflare fingerprinting, I consider that search page should also pass similar check

[xPaw]

You can try sending them an email like they suggest in the HN thread. Not saying you have restrict fingerprint enabled is an important omission that breaks a lot of non obvious things.

And it seems like the bug is with ampersands which is odd, hence why login page works.

EDIT: I can't reproduce it with resistFingerprinting enabled either way. I'm thinking you have some addon that breaks it.

[eirnym]

If any of addons would break it, 1) we won't see any YCombinator posts about specifically cloudflare and firefox 2) other websites and pages (like login page on steamdb website) would break as well.

BTW, I haven't found any support page for regular users, not for a website holders. Website holders has a report system for their website and specific pages they could refer to. Their RAY ID has been included for them to track the problem

PS: resistFingerprinting is not the only anti-fingerprinting and privacy measures Firefox has.