CEF unable to pass cloudflare browser integrity checks

[nv-hub]

Hello,

I'm not entirely certain whether this qualifies as a bug, so I decided to create a blank issue. I apologize if this approach is not the correct one.

In the past few days, Cloudflare made an update to their captcha system called Turnstile, which now verifies browser integrity before granting access to protected websites. Unfortunately, this update has caused an issue for my website, which also relies on Cloudflare for protection. Consequently, I can no longer access my website through the CEF from my application.

During a discussion with some members of their community on Discord, I learned that CEF exposes certain APIs that can be detected by Cloudflare (According to them), leading to the blocking of access.

For my tests, I am using the latest stable version (115.3.9) of the CEF client from the following source: https://cef-builds.spotifycdn.com/index.html. Here is an image of the sample application:

The website I am attempting to access is https://turnstile-demo.pages.dev/. Please ensure you select "Managed sitekeys" in the "select sitekey" option.

So my question is, does anyone know which APIs are causing this failure? And is there a way to disable them?

Regards!
CEF user.

[amaitland]

For my tests, I am using the latest stable version (115.3.9) of the CEF client from the following source: https://cef-builds.spotifycdn.com/index.html.

Does the behaviour change if you use cefclient --enable-chrome-runtime?

[nv-hub]

For my tests, I am using the latest stable version (115.3.9) of the CEF client from the following source: https://cef-builds.spotifycdn.com/index.html.

Does the behaviour change if you use cefclient --enable-chrome-runtime?

Yes! the browser can pass CF bot checks after enabling this flag. However when applying the change within my application, I'm getting a strange behavior.
https://gyazo.com/10496f5602d64343273e8e73aeed0f8e

The browser is flickering non stop, and the resolution is much smaller than it's set to.

I have these other options enabled as well

		settings.multi_threaded_message_loop = true;
		settings.windowless_rendering_enabled = true;
		settings.no_sandbox = true;

[amaitland]

I learned that CEF exposes certain APIs that can be detected by Cloudflare (According to them), leading to the blocking of access.

If the Chrome Runtime works then Cloudflare is probably fingerprinting the Alloy runtime based on what it's missing e.g. Notification API. I'm speculating at this point.

settings.windowless_rendering_enabled = true;

Not yet supported by the Chorme Runtime (#3293)

which also relies on Cloudflare for protection. Consequently,

If you are a paying Cloudflare customer then I'd be asking their support team for a resolution.

[nv-hub]

Thanks for the answer, I appreciate your input!

I am a Cloudflare PRO customer but I really doubt they would do anything about it just for 1 customer's sake.
I tried reaching out to them on discord but only got the argument that CEF can be automated and their product is designed to block automations and bots, but anyways I have just opened a support ticket, let's see how this goes!

Will keep this issue updated incase others are facing similar issues.

[amaitland]

I tried reaching out to them on discord but only got the argument that CEF can be automated and their product is designed to block automations and bots

That doesn't meant that cannot provide some means for you to authenticate, some sort of auth token that can be included in the request made from your app to validate.

Will keep this issue updated incase others are facing similar issues.

There are other reports cefsharp/CefSharp#4556
No idea if any are paying customers.

[nv-hub]

That doesn't meant that cannot provide some means for you to authenticate, some sort of auth token that can be included in the request made from your app to validate.

Agreed! There is current a way to apply a set of rules based on a specific user agent of your choice. This would grant you the possibility to disable the browser integrity check and let you in without any checks, however if a user is also using turnstile for user authentication (after browser integrity check) then he's stuck again in the same loop :/

[RadoMmm]

I am a Cloudflare PRO customer but I really doubt they would do anything about it just for 1 customer's sake. I tried reaching out to them on discord but only got the argument that CEF can be automated and their product is designed to block automations and bots, but anyways I have just opened a support ticket, let's see how this goes!

I wonder how they will detect regular chrome automated by devtools protocol, or custom build of chrome automated by any way.

[nv-hub]

I'm not sure what they changed, but suddenly CEF works again with CF browser integrity check.

I have received a question from one of their staff on discord if I was by any chance removed Cross-Origin-Opener-Policy but wasn't really sure. I use the default and that is REFERRER_POLICY_CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE perhaps someone knows if Chrome Runtime uses a different policy?

But at least things work now, so if by any chance it stopped working again, Ill have somewhere to look at!