forum.palemoon.org/viewtopic.php?t=32127#p260948 Clownflare siege, day 50: Pale Moon got whitelisted

it still blocks SeaMonkey, and any attempt to get the invisible Turnstile to render will hang the browser :/

(and even the Pale Moon whitelist remains fragile)

So... nothing has really changed, and I really wish I had a debug symbols build here to check why in the hell SM is hanging if I dare using Inspector to point at the invisible Turnstile box

it's a instafreeze now, and doesn't seem to be script related in principle (as no script timeout window ever comes), but I have no clue there

...wait

....it eventually unhung itself!?

.....after almost 5 minutes

OK, let me wait 5 more minutes then...

2 minutes, still hung at 100% single core

...3 minutes, still burning coal

and exactly 4 minutes later, it hung

so... 240 seconds

---it unhung

then the page reloads, still with a blank Turnstile

looking at about:config for prefs named "timeout" yields nothing if looking for 240 seconds

but there are a couple dom.min_timeout_value prefs set to 4 (that one and dom.min_tracking_timeout_value)

maybe 4 for "minutes"¡

?

...no, those are miliseconds

irrelevant then

after a couple more runs on my Ryzen laptop, I can indeed narrow down the hang time to ~270 seconds, or 4m30s

that's a... very weird timeout

so let's recap: go to a Clownflared site, get the invisible challenge, try to inspect it (this caused it to render in older versions), then your browser will hang for 270 seconds pegging a single core 100%

it WILL unhang itself after that, then the challenge obviously has failed and expired, so it reloads.

yep, 270 seconds.

now let's confirm if this is profile dependent or not

forum.palemoon.org/viewtopic.php?f=65&t=32190&start=20#p260857 yep, the whitelist is _only_ for Pale Moon, contingent on them actually implementing a bunch of CSP junk as Chrome does among other things, and they will revoke it if they feel so

> Going to launch our browser developer program hopefully before end of month. This community will be invited to join along with others we are in contact with. The aim will be to share our requirements and have a better two way communication in place. Of course this is always going to be an ongoing balance between reducing unwanted bot traffic to a minimum VS keeping the false positive rate...

...as low as possible

FWIW the hang IS reproducible on 1) clean profile, and 2) usual work profile booted in safe mode

the 270 seconds timeout is extremely weird - the time IS always constant, always reproducible, and there is no specific pref or anything browser-side

but if it is a script that takes all that time, why the script timeout warning doesn't kick in?

now let's check if it is hardware dependant

fired up my trusty Core 2 Duo laptop

this one is running the release 2.53.20 official binaries, and the hang indeed is reproducible

now let's see how long it takes to unblock

...far more than 5 minutes, it seems :/

the poor ol' Core has been hung for the last 10 minutes :O

...finally it unhung itself after TWENTY MINUTES

Core 2 Duo T7200: > 20 minutes. Ryzen 7 5700U: 270 seconds

Got Mine strikes again

eh tomman

nsITobin hi

Hi frg_Away

well news from the welfare warfare front.. judge blocked doge from getting specific personally identifiable data from social security master file and to destory any data collected thus far but that only potentally helps specific targets while the wreaking ball is elsewhere on the SSA. I think it will be cripple service and then glitches no one can really resolve while priming on national tv that ONLY fruadsters would be impacted by a temporary glitch

or suspention..

but for the minute i will have some groceries delivered

in the meanwhile, see the scrollback for my late nite adventures with that Turnstile inspector hang

finding out that if I just leave the browser alone for 5-20 minutes (depending on the hardware) after triggering the landmine, it will eventually un-hang and continue working as usual

tomman: it is basically based on a benchmark test returning correctly and within time.. its all artifical

but... why the hang? Why no "hung script" warning popups?

i thought i mentioned that at some point but couldn't find a reference in mah brain

tomman: some codepaths are still able to block the watchdog for quite some time

all I managed to find is that the hangs are consistent, and so is the duration time per CPU

or simply aren't covered

on a Ryzen 7 5700U I always measured ~270 seconds

that is an issue with any fork or would be.. there is no way to get percise identical results even if you support everything within the bounds of another program with extreme pgo

But in any case the browser would eventually unblock and continue working like if nothing had happened

(Aside of existing connections being forcibly closed, or your captcha expired)

well that just proves its a seamonkey problem in their eyes.. see it works its your fault everyone elses shit works.. and on for days and days and days

this cloudflare war is effectively irrelevant

At this point what worries me is the hang, more than Clownflare blocking my browser

in context with everything else happening and will happen

which means that other websites could trigger it too

if they copy the magical Evil Script bits, of course

well if someone else does it then it becomes MORE a seamonkey problem in malicious and uninformed eyes

of course that's bs.. but you know how it is

hello

does discord work on seamonkey?

Guest20 no

ok, thank you

gitlab wip updated

:)

rest well

to everyone