celenity/Phoenix
8
198
Fork
You've already forked Phoenix
19

[WEB COMPAT] Can't bypass "I'm not a robot" Cloudflare challange #318

Closed
opened 2026年06月14日 22:18:55 +02:00 by koru · 12 comments
Contributor
Copy link

Confirmation Checklist

Which domain(s) are you experiencing this issue on?

Any Cloudflare protected website.

What web browser(s) are you using with Phoenix?

Firefox

Other

No response

What operating system(s) are you experiencing this issue on?

Other

Other

Gentoo GNU/Linux

What version of Firefox/Gecko and Phoenix are you using?

151.0.4 (Phoenix: 2026年06月10日.1)

If you remember, what version of Firefox/Gecko and Phoenix did you first notice the issue on?

More than 2 months.

Does the issue occur on a new browser profile?

  • Yes
  • No

Please share your browser's distribution ID.

Please share your browser's update channel.

Please share a list of your currently installed browser add-ons/extensions, as well as the versions you have installed.

uBO, SponsorBlock.

Please explain the issue you are experiencing.

Can't bypass "I'm not a robot" Cloudflare challange even without uBO.

Also I CAN bypass in any browser (Chromius-based or Firefox w/o Phoenix).

Please provide detailed steps to reproduce the issue.

### Confirmation Checklist - [x] I confirm that this issue occurs on the **latest release** of Phoenix. You can check what the latest version is on [the `Releases` page](https://codeberg.org/celenity/Phoenix/releases). - [x] I confirm that this issue is **NOT** already listed on [the Website Compatibility wiki page](https://phoenix.celenity.dev/compat). - [x] I confirm that this issue has **NOT** already been reported on [the Codeberg issue tracker](https://codeberg.org/celenity/Phoenix/issues), [the GitLab issue tracker](https://gitlab.com/celenityy/Phoenix/-/issues), **and/or** [the GitHub issue tracker](https://github.com/celenityy/Phoenix/issues). ### Which domain(s) are you experiencing this issue on? Any Cloudflare protected website. ### What web browser(s) are you using with Phoenix? Firefox ### Other _No response_ ### What operating system(s) are you experiencing this issue on? Other ### Other Gentoo GNU/Linux ### What version of Firefox/Gecko and Phoenix are you using? 151.0.4 (Phoenix: 2026年06月10日.1) ### If you remember, what version of Firefox/Gecko and Phoenix did you first notice the issue on? More than 2 months. ### Does the issue occur on a new browser profile? - [x] Yes - [ ] No ### Please share your browser's distribution ID. - ### Please share your browser's update channel. - ### Please share a list of your currently installed browser add-ons/extensions, as well as the versions you have installed. uBO, SponsorBlock. ### Please explain the issue you are experiencing. Can't bypass "I'm not a robot" Cloudflare challange even without uBO. Also I CAN bypass in any browser (Chromius-based or Firefox w/o Phoenix). ### Please provide detailed steps to reproduce the issue. - https://gitlab.com/users/sign_in - https://lemmy.world

@koru what does "can't bypass" mean? does it get stuck, loop, or not show the checkbox, or does it show a "you have been blocked"-like message?
can you pass the cloudflare turnstile in firefox without phoenix, but with rfp on (privacy.resistFingerprinting=true), or in stock librewolf?
cloudflare might have become more aggressive against rfp / fpp +AllTargets; or if just "times out" and loops without success, you could try flipping

accessibility.blockautorefresh=false
network.http.prompt-temp-redirect=false

i recall having turnstile issues late last year (captcha got stuck and looped unsuccessfully), this fixed it.
alternatively, the browser might be too slow to solve the pow challenge with jit disabled...

@koru what does "can't bypass" mean? does it get stuck, loop, or not show the checkbox, or does it show a "you have been blocked"-like message? can you pass the cloudflare turnstile in firefox without phoenix, but with rfp on (`privacy.resistFingerprinting=true`), or in stock librewolf? cloudflare might have become more aggressive against rfp / fpp +AllTargets; or if just "times out" and loops without success, you could try flipping ``` accessibility.blockautorefresh=false network.http.prompt-temp-redirect=false ``` i recall having turnstile issues late last year (captcha got stuck and looped unsuccessfully), this fixed it. alternatively, the browser might be too slow to solve the pow challenge with jit disabled...
Author
Contributor
Copy link

@degausser wrote in #318 (comment):

@koru what does "can't bypass" mean? does it get stuck, loop, or not show the checkbox, or does it show a "you have been blocked"-like message? can you pass the cloudflare turnstile in firefox without phoenix, but with rfp on (privacy.resistFingerprinting=true), or in stock librewolf? cloudflare might have become more aggressive against rfp / fpp +AllTargets; or if just "times out" and loops without success, you could try flipping

Yes, I can't see checkbox and after some load page just refresh.

accessibility.blockautorefresh=false
network.http.prompt-temp-redirect=false
  1. Now I can see checkbox, but still can't bypass with uBO. But can w/o uBO. Success!
  2. Nothing changed.

i recall having turnstile issues late last year (captcha got stuck and looped unsuccessfully), this fixed it. alternatively, the browser might be too slow to solve the pow challenge with jit disabled...

Yeah, looks so similar.

Thank you!

@degausser wrote in https://codeberg.org/celenity/Phoenix/issues/318#issuecomment-17483981: > @koru what does "can't bypass" mean? does it get stuck, loop, or not show the checkbox, or does it show a "you have been blocked"-like message? can you pass the cloudflare turnstile in firefox without phoenix, but with rfp on (`privacy.resistFingerprinting=true`), or in stock librewolf? cloudflare might have become more aggressive against rfp / fpp +AllTargets; or if just "times out" and loops without success, you could try flipping Yes, I can't see checkbox and after some load page just refresh. > ```text > accessibility.blockautorefresh=false > network.http.prompt-temp-redirect=false > ``` 1. Now I can see checkbox, but still can't bypass with uBO. But can w/o uBO. Success! 2. Nothing changed. > i recall having turnstile issues late last year (captcha got stuck and looped unsuccessfully), this fixed it. alternatively, the browser might be too slow to solve the pow challenge with jit disabled... Yeah, looks so similar. Thank you!

@koru

Now I can see checkbox, but still can't bypass with uBO. But can w/o uBO. Success!

yeah, sorry, i don't use the uBO assets.json from phoenix, so i can't reproduce this :/
with uBO enabled, you could try to load the page with uBO logger opened, and look for any interesting red (blocked) lines; clicking on individual lines shows more information, including which filterlist the rule responsible for the action is included in. Then, with process of elimination, try to untick only that list in uBO 'Filters list', or add an override (@@) for the rule in 'My Filters'.

@koru > Now I can see checkbox, but still can't bypass with uBO. But can w/o uBO. Success! yeah, sorry, i don't use the uBO assets.json from phoenix, so i can't reproduce this :/ with uBO enabled, you could try to load the page with [uBO logger](https://github.com/gorhill/uBlock/wiki/The-logger) opened, and look for any interesting red (blocked) lines; clicking on individual lines shows more information, including _which filterlist the rule responsible for the action is included in_. Then, with process of elimination, try to untick only that list in uBO 'Filters list', or add an override (@@) for the rule in 'My Filters'.
Author
Contributor
Copy link

@degausser wrote in #318 (comment):

@koru

Now I can see checkbox, but still can't bypass with uBO. But can w/o uBO. Success!

yeah, sorry, i don't use the uBO assets.json from phoenix, so i can't reproduce this :/ with uBO enabled, you could try to load the page with uBO logger opened, and look for any interesting red (blocked) lines; clicking on individual lines shows more information, including which filterlist the rule responsible for the action is included in. Then, with process of elimination, try to untick only that list in uBO 'Filters list', or add an override (@@) for the rule in 'My Filters'.

Found!

Filter:

! Title: 🛡 Block WebRTC
! Version: 02April2026v1
! Expires: 12 hours
! Description: Block WebRTC to harden the privacy & security of your web browser.
! Homepage: https://badblock.celenity.dev
*##+js(nowebrtc)

@celenity, any thoughts?

@degausser wrote in https://codeberg.org/celenity/Phoenix/issues/318#issuecomment-17499725: > @koru > > > Now I can see checkbox, but still can't bypass with uBO. But can w/o uBO. Success! > > yeah, sorry, i don't use the uBO assets.json from phoenix, so i can't reproduce this :/ with uBO enabled, you could try to load the page with [uBO logger](https://github.com/gorhill/uBlock/wiki/The-logger) opened, and look for any interesting red (blocked) lines; clicking on individual lines shows more information, including _which filterlist the rule responsible for the action is included in_. Then, with process of elimination, try to untick only that list in uBO 'Filters list', or add an override (@@) for the rule in 'My Filters'. Found! Filter: ```adb ! Title: 🛡️ Block WebRTC ! Version: 02April2026v1 ! Expires: 12 hours ! Description: Block WebRTC to harden the privacy & security of your web browser. ! Homepage: https://badblock.celenity.dev *##+js(nowebrtc) ``` @celenity, any thoughts?

dunno, i tested media.peerconnection.enabled=false, which disables webrtc on browser level, and can pass the turnstile. if nowebrtc is really the culprit, an exemption is needed here then. for now, you can temporarily add to my filters

lemmy.world#@#+js(nowebrtc)
gitlab.com#@#+js(nowebrtc)

if every domain using cloudflare turnstile will need to be exempted, that will be quite a long list...

dunno, i tested `media.peerconnection.enabled=false`, which disables webrtc on browser level, and can pass the turnstile. if `nowebrtc` is really the culprit, an exemption is needed [here](https://codeberg.org/celenity/BadBlock/src/branch/pages/hardened/unbreak-webrtc.txt) then. for now, you can temporarily add to `my filters` ``` lemmy.world#@#+js(nowebrtc) gitlab.com#@#+js(nowebrtc) ``` if every domain using cloudflare turnstile will need to be exempted, that will be quite a long list...
Author
Contributor
Copy link

@degausser wrote in #318 (comment):

dunno, i tested media.peerconnection.enabled=false, which disables webrtc on browser level, and can pass the turnstile. if nowebrtc is really the culprit, an exemption is needed here then. for now, you can temporarily add to my filters

lemmy.world#@#+js(nowebrtc)
gitlab.com#@#+js(nowebrtc)

if every domain using cloudflare turnstile will need to be exempted, that will be quite a long list...

Also working setup:

accessibility.blockautorefresh=true
network.http.prompt-temp-redirect=true
media.peerconnection.enabled=false

And with enabled Block WebRTC filter.

@degausser wrote in https://codeberg.org/celenity/Phoenix/issues/318#issuecomment-17507273: > dunno, i tested `media.peerconnection.enabled=false`, which disables webrtc on browser level, and can pass the turnstile. if `nowebrtc` is really the culprit, an exemption is needed [here](https://codeberg.org/celenity/BadBlock/src/branch/pages/hardened/unbreak-webrtc.txt) then. for now, you can temporarily add to `my filters` > > ```text > lemmy.world#@#+js(nowebrtc) > gitlab.com#@#+js(nowebrtc) > ``` > > if every domain using cloudflare turnstile will need to be exempted, that will be quite a long list... Also working setup: ```javascript accessibility.blockautorefresh=true network.http.prompt-temp-redirect=true media.peerconnection.enabled=false ``` And with enabled Block WebRTC filter.

so it seems the two old pref flips are no longer needed - they change the cf js payload all the time...

Block WebRTC does essentially nothing with media.peerconnection.enabled=false. presumably the cloudflare javascript first checks if webrtc is supported at all, if not, it skips further checks. the filter doesn't disable webrtc, just no-ops the function - further dependant turnstile checks run (and fail).

if you can help it, don't run media.peerconnection.enabled disabled permanently, rather add the ubo exemptions; it's fingerprintable, whereas keeping it enabled and just noop-ing the functionality (= what the uBO filter does) isn't (but sometimes introduces breakage).

so it seems the two old pref flips are no longer needed - they change the cf js payload all the time... `Block WebRTC` does essentially nothing with `media.peerconnection.enabled=false`. presumably the cloudflare javascript first checks if webrtc is supported at all, if not, it skips further checks. the filter doesn't _disable_ webrtc, just [no-ops the function](https://github.com/gorhill/uBlock/blob/a94df7f3b27080ae2dcb3b914ace39c0c294d2f6/assets/resources/scriptlets.js#L734-L742) - further dependant turnstile checks run (and fail). if you can help it, don't run `media.peerconnection.enabled` disabled permanently, rather add the ubo exemptions; it's fingerprintable, whereas keeping it enabled and just noop-ing the functionality (= what the uBO filter does) isn't (but sometimes introduces breakage).

@celenity this may be a situation where privacy/security clashes with fingerprinting protection:

  • it works with media.peerconnection.enabled=false (webrtc is disabled, but this state is fingerprintable)
  • doesn't work with nowebrtc ubo scriptlet, so has to be exempted (therefore webrtc is allowed on page unrestricted, resulting in less protection)
@celenity this may be a situation where privacy/security clashes with fingerprinting protection: - it works with `media.peerconnection.enabled=false` (webrtc is disabled, but this state is fingerprintable) - doesn't work with `nowebrtc` ubo scriptlet, so has to be exempted (therefore webrtc is allowed on page unrestricted, resulting in less protection)
Author
Contributor
Copy link

@degausser wrote in #318 (comment):

dunno, i tested media.peerconnection.enabled=false, which disables webrtc on browser level, and can pass the turnstile. if nowebrtc is really the culprit, an exemption is needed here then. for now, you can temporarily add to my filters

lemmy.world#@#+js(nowebrtc)
gitlab.com#@#+js(nowebrtc)

if every domain using cloudflare turnstile will need to be exempted, that will be quite a long list...

As I tested My filters do not override Filter lists or += to exist WebRTC rules. Am I doing something wrong?

@degausser wrote in https://codeberg.org/celenity/Phoenix/issues/318#issuecomment-17507273: > dunno, i tested `media.peerconnection.enabled=false`, which disables webrtc on browser level, and can pass the turnstile. if `nowebrtc` is really the culprit, an exemption is needed [here](https://codeberg.org/celenity/BadBlock/src/branch/pages/hardened/unbreak-webrtc.txt) then. for now, you can temporarily add to `my filters` > > ```text > lemmy.world#@#+js(nowebrtc) > gitlab.com#@#+js(nowebrtc) > ``` > > if every domain using cloudflare turnstile will need to be exempted, that will be quite a long list... As I tested `My filters` do not override `Filter lists` or += to exist WebRTC rules. Am I doing something wrong?

@koru try challenges.cloudflare.com#@#+js(nowebrtc) instead

@koru try `challenges.cloudflare.com#@#+js(nowebrtc)` instead
Author
Contributor
Copy link

@degausser wrote in #318 (comment):

@koru try challenges.cloudflare.com#@#+js(nowebrtc) instead

Works! Thank you!

@degausser wrote in https://codeberg.org/celenity/Phoenix/issues/318#issuecomment-17521940: > @koru try `challenges.cloudflare.com#@#+js(nowebrtc)` instead Works! Thank you!

maybe a pr at the badblock repo which adds the rule here wouldn't be a bad idea, so that a user unbreak override isn't needed

maybe a pr at the badblock repo which adds the rule [here](https://codeberg.org/celenity/BadBlock/src/branch/pages/hardened/unbreak-webrtc.txt) wouldn't be a bad idea, so that a user unbreak override isn't needed
Sign in to join this conversation.
No Branch/Tag specified
dev
pages
2026年07月08日.1
2026年06月10日.1
2026年05月21日.2
2026年05月21日.1
2026年04月27日.1
2026年03月31日.1
2026年03月30日.1
2026年02月23日.1
2026年02月16日.1
2026年01月21日.1
2025年12月23日.1
2025年11月27日.1
2025年11月07日.1
2025年10月26日.1
2025年10月12日.1
2025年10月03日.1
2025年09月07日.1
2025年08月06日.1
2025年07月30日.1
2025年07月11日.1
2025年06月24日.1
2025年06月12日.1
2025年06月10日.1
2025年06月06日.1
2025年06月02日.2
2025年06月02日.1
2025年05月11日.1
2025年04月27日.1
2025年04月15日.1
2025年04月11日.1
2025年04月02日.1
2025年03月25日.1
2025年03月20日.1
2025年03月12日.1
2025年03月05日.1
2025年02月28日.1
2025年02月21日.1
2024年02月18日.1
2025年02月14日.1
2025年02月13日.1
2025年02月01日.1
2025年01月30日.1
2025年01月27日.1
2025年01月24日.1
2025年01月22日.2
2025年01月22日.1
2025年01月20日.2
2025年01月20日.1
2025年01月19日.1
2025年01月14日.1
2025年01月13日.1
2025年01月12日.2
2025年01月12日.1
2025年01月06日.1
05January2025v1
20240103.2
20250103.1
20241229-1
20241225-1
20241216-1
20241211-1
20241204-1
20241203-1
31November2024v1
20241103-1
20240924-1
20240914-1
20240907-1
20240902-1
20240831-1
20240825-1
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
celenity/Phoenix#318
Reference in a new issue
celenity/Phoenix
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?