top | item 43383382

(no title)

mstrem | 11 months ago

There is no such intent from us to throw around our weight. The team is challenged with a very hard task of balancing protecting web assets VS ensuring that those same assets remain accessible to everyone. It's not an easy problem.

The features you refer to are not bleeding edge, and not only that, they are security features. We are still discussing internally but I hope we can publish soon the details so that point can be addressed.

Final but not last, this only affects our challenge system, which is never issued by us as a blanket action across Internet traffic. It's normally a configuration a Cloudflare user implements in response to an ongoing issue they have (like a bot problem). We do report challenge pass rates and error rates but we can certainly always improve that feedback loop.

discuss

superkuh|11 months ago

If you can't see how CF is throwing around it's weight I can only assume the traditional Upton Sinclair quote applies.

The vast majority of sites operate without a CSP (only 7% of Alexa’s top 1 million sites have a valid CSP circa 2020, and in the long tail it's much, much less). It's a niche thing and the type of use you do at cloudflare can be considered bleeding edge in practice by comparing to the rest of the web. For most sites on the web CSP is more of a burden than a benefit.

The crashing and freezing of many browsers only affects your challenge system. Your blocking that's impossible to pass with many browsers is either default or so commonly set it doesn't make a difference. You should try using an non-chrome/non-safari/non-edge/non-firefox browser through a non-residential IP sometime and see how many places you can no longer access because of your employer.