Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare blocks me when trying to include jQuery #518

Closed
jsane-h8ms opened this issue Nov 6, 2019 · 14 comments
Closed

Cloudflare blocks me when trying to include jQuery #518

jsane-h8ms opened this issue Nov 6, 2019 · 14 comments

Comments

@jsane-h8ms
Copy link

I can edit my test normally, as long as I don't add a script tag. When I add it (using the jQuery button) under preparation code, I can no longer save my test case, instead I get blocked by Cloudflare.
@LuKks
Copy link

LuKks commented Nov 9, 2019

I thought it was just me.

image

@phyllisstein
Copy link

I was blocked when trying to import a script from GitCDN. Sounds like CloudFlare's blocking anything with a script tag.

@DmitryEfimenko
Copy link

+1

@delventhalz
Copy link

I am having this same issue. Makes JSPerf unusable for my purposes.

@crudolf
Copy link

crudolf commented Dec 28, 2019

+1

1 similar comment
@neopheus
Copy link

neopheus commented Jan 4, 2020

+1

@ThreeDfish
Copy link

Same here -- tried to edit an existing test, could not save. Had to remove the script tag, then was able to save. This is a BIG problem.

@asilluron
Copy link
Member

asilluron commented Jan 5, 2020
edited
Loading

I've been away on holiday vacation but figured it was important to weigh-in on why this likely won't get fixed and explain why.

Disclaimer: This is my own personal opinion, and so I will let @mathiasbynens and @maxbeatty weigh in on their own opinion.

  1. Cloudflare blocks based on their automatic rules for vulnerabilities https://community.cloudflare.com/t/sorry-you-have-been-blocked/110790
  2. We probably don't want to allow anyone to include any scripts --> because testing on JSPerf is crowdsourced. I personally don't want to visit a test and have a bunch of scripts running that are potentially harmful, but at the minimum; "annoying"
  3. Curating a massive list of scripts that are deemed "safe" with all of their versions and hash sums is beyond the scope of this project (Edit: This is left to Cloudflare at a very basic level)
  4. JSPerf was created to test core JS Performance. A lot of the early testing with libraries was very straight forward, but now we're at a point with such bloated libraries that what you are testing (even between the slightly different versions) is almost un-knowable. That kind of testing is better suited using profilers, debuggers and the info found on JSPerf!

I hope that makes sense.

We should be using the core performance data found here to see how browsers are performing with very specific operations and operations that can be COMPARED.

Once you have that information, you can use it to create high-performance code.

Edit: To be clear, a lot of basic scripts still work with Cloudflare. Especially jQuery. However, the ability to arbitrarily add a script from any source is a much bigger issue

@asilluron asilluron mentioned this issue Jan 5, 2020
Closed
@asilluron
Copy link
Member

One more update. It looks like existing tests like https://jsperf.com/jquery-html-vs-empty-append-test/1/ cannot be edited even with the same jQuery import. This is probably confusing for users visiting a test directly and attempting to edit.

@ThreeDfish
Copy link

@asilluron That would be fundamental change to the functionality of jsperf. Currently there are buttons to add the script tag to include jQuery, Prototype, MooTools, YUI, Dojo, Ext Core, My Library

There is a reason for this, a lot of performance testing has to do with proposed Vanilla JS solutions vs established libraries to see which is faster or if there is enough performance difference to make a case for using the proposed solution.

@asilluron
Copy link
Member

Maybe you're misunderstanding me, I am not in favor of banning libraries, I am simply in favor of having Cloudflare not allowing any arbitrary library.

Yes, it's useful to test jQuery core functionality vs vanilla js, but what if a user is using

cdn.spammer. com\bitcoin-miner.js in a test? Should we just allow that?

However, we need to make sure Cloudflare is not blocking too much and it seems that might be the case.

@maxbeatty
Copy link
Member

Thanks for the thoughtful response, @asilluron. I agree that Cloudflare is responsible for these blocked requests and this won't get fixed because we don't control a majority of the rules by Cloudflare. (I do not have access to them.) Even if we were to relax some rules, I'm guessing we'd let 10-100 bad requests through for every innocent one. Spam sucks 😿

@maxbeatty maxbeatty pinned this issue Jan 5, 2020
This was referenced Jan 5, 2020
Closed
Closed
@maxbeatty maxbeatty mentioned this issue Jan 17, 2020
Closed
@SukkaW
Copy link

SukkaW commented Jan 28, 2020

@maxbeatty

What about completely disables Cloudflare WAF? Cloudflare WAF could be disabled through "Firewall - Settings - Security Level":

image

@maxbeatty maxbeatty mentioned this issue Feb 21, 2020
Closed
@ineeee ineeee mentioned this issue Mar 3, 2020
Open
@sstackus sstackus mentioned this issue Mar 4, 2020
Closed
@maxbeatty maxbeatty mentioned this issue May 14, 2020
Closed
@vanowm
Copy link

vanowm commented Jun 5, 2020

Even if we were to relax some rules, I'm guessing we'd let 10-100 bad requests through for every innocent one. Spam sucks crying_cat_face

The question is, do you have the ability relax the rules? If so, wouldn't add an extra captcha of some sorts for this kind of submissions help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests