Skip to content

Cloudflare protection causes loading loop for users that enable fingerprinting protection measures or change timezone

What is/are the relevant URL(s)

https://about.gitlab.com/ and https://gitlab.com/users/sign_in

Briefly describe the bug

Cloudflare protection is making the login page impossible to access for Firefox users that enable privacy.resistFingerprinting, which means that this is also the case for TOR users and for some privacy forks of Firefox. Windows users reported that the same is also true when they alter their timezone.

A couple relevant issues for extra details:

I will also contact Cloudflare about this issue, but given that gitlab.com is used by a ton of devs I think it's appropriate to open an issue on your side.

If possible, please specify how to reproduce the bug

  1. visit https://about.gitlab.com/
  2. click on the 'Login' button
  3. wait

you are now redirected to https://gitlab.com/users/sign_in and the page just loops over and over.

Please provide any relevant screenshots or screencasts

this is the page that loads over and over:

What is your window size, browser, operating system, and versions

whatsmybrowser.org/b/G8BGQ

from the previously linked issues it is possible to see that it also happens to others, regardless of their OS version and window size (eg. ESR versions of firefox)

What computing device are you using?

MacBook Pro, but again not that different on other machines.

What type of input are you attempting to use?

Webpage interactivity is often tied to a specific device event.

  • Touchscreen
  • Touchpad
  • Mouse click
  • Mouse click and drag
  • Scrollwheel
  • Keyboard
  • Stylus
  • Other (please specify)

Have you tried a fresh incognito window? Could this be related to cookies or account type/state?

  • I tried a fresh incognito window & it had no impact.
  • The problem goes away when using an incognito window.
  • The problem only happens when certain cookies are set to a specific value (please specify below).

Please list any browser plugins you have enabled

tested with no extensions, but also with uBlockOrigin

Are you blocking javascript or any other resources?

Javascript is needed for certain website functionality.

  • I AM blocking javascript or other resources.
  • I am NOT blocking javascript or other resources.

What is your geographic location

I'm in the EU.

What type of network are you connected to?

Type

  • Wired
  • Wifi
  • Cellular (4G, 5G, etc)
  • Satellite
  • Other

Location

  • Home
  • Workplace
  • Travel facility (hotel, airport, conference center, etc)
  • Public venue (restaurant, library, cafe, etc)
  • VPN
  • Other

Hardware

  • I am behind a network security appliance such as a firewall
  • I am using a pi-hole or other hardware-based traffic blocker
  • Other

/cc @gl-website

Edited by fxbrit