https://www.ory.sh/ logo
Join Slack
Powered by
```[cors] 2023/02/02 14:36:53 Handler: Actual requ...
# ory-network
d
Copy code
[cors] 2023/02/02 14:36:53 Handler: Actual request
[cors] 2023/02/02 14:36:53   Actual request no headers added: missing origin
also proxy does not print any errors, just these that is has always spammed. this is not new and as said it has worked before (this morning) just fine
f
Hey, Cloudflare detected your traffic as malicious and blocked the request with a challange
Copy code
Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to:

A non-interactive challenge page (similar to the current JS Challenge).
A custom interactive challenge (such as click a button).
Private Access Tokens (using recent Apple operating systems).
A CAPTCHA challenge.
d
there is nothing interactive on the page :I
f
OWASP Core Ruleset activated it and the rule inbound Anomaly Score Exceeded was trigerred
d
i guess the localhost callback is triggering those :E
f
the non interactive challanage might got used
d
ok, there are no instructions to do anything, i dont get what to do
Copy code
<http://xxx.projects.oryapis.com|xxx.projects.oryapis.com>

Checking if the site connection is secure

<http://xxx.projects.oryapis.com|xxx.projects.oryapis.com> needs to review the security of your connection before proceeding.
Ray ID: 793323a74f84d922
Performance & security by Cloudflare
im inspecting the page and see nothing
f
can you leave the website open for a moment?
Cloudflare defines for ex JS Challange as follows :
Copy code
JS challenge
With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser.

The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.
d
seems it fails to load the challenge code... 404
*ray:* 793323a74f84d922
ugh
seems the day in the query is same as printed on the page, so that wont probably help you
so its still trying to fetch the challenge throug the proxy domain
Copy code
<http://localhost:4000/cdn-cgi/challenge-platform/h/b/orchestrate/managed/v1?ray=793329830ef2df68>
wonder why its 404:ing
f
haha 😄
d
other stuff fails too 404 
<http://localhost:4000/cdn-cgi/styles/challenges.css>
any ideas?
f
yes, because proxy does not have those assets
what do you run locally?
d
so this challenge would only work in prod with your slug domain or a customr CNAME domain
f
and try to clear website data for now in your browser
d
go server, using self service browser login, when hitting microsoft button
and 
ory proxy <https://localhost:4443> --dev --debug --project <slug>
localhost is running self signed cert, which is installed to chrome so it should be a-ok
wodner if its hitting the security scans becase the query callback is https://localhost :E
i know the OWASP can snoop all kinds of things like url/query and bodies too
@chilly-sandwich-92462 maybe you could proxy those cloudflare things in ory proxy to fix this bug
Copy code
/cdn-cgi/styles/challenges.css
/cdn-cgi/challenge-platform/h/b/orchestrate/managed/v1?ray=793329830ef2df68
/cdn-cgi/images/trace/managed/js/transparent.gif?ray=793329830ef2df68
these are 404 on the page load
I cant imagine me being the first one to encounter this with ory proxy in dev mode? its the only way to run this self service stuff while developing as i understand it, so everyone should be doing this and having the return_to callback to localhost
oh damn, clearing cookies and disabling network cache fixed it
wonder whyt that would make me not "malicious" again
there were at least two cookies with 
__cf
prefix
f
We are discussing the change in proxy but this is not a proper fix, we need to get in touch with CF and report that
d
would think those asset URL should be absolute pointing to cloudflare, not relative to current host
f
cause cloudflare cookies should not trigerr cd itself to block
d
hopefully this cant happen in prod in the real domain (yours or customer custom CNAME domain)
would mean our end users might see this error page
f
we haven’t deployed changes in cf, we need to report it to them
d
i recon the challenge will indeed load there, but still a bit scary for end users
f
sorry for inconvinience
d
aight, no problem. lets see if it happens again in the future
3 Views
Open in Slack
PreviousNext
Powered by