Cloudflare responds with 403 to requests for assets from subdomain

[progval]

https://liberapay.com/ works fine for me, but when visiting https://fr.liberapay.com/ all icons are broken and the browser console is full of errors:

12:26:52.304 Navigated to https://fr.liberapay.com/
12:26:52.741 This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. [fr.liberapay.com](https://fr.liberapay.com/)
12:26:52.848
GET
https://liberapay.com/assets/fonts/ubuntu-regular-webfont.woff2?etag=.Y59w7DuKv86LeAV3NYPdQg~~
[HTTP/2 403 Forbidden 13ms]

12:26:52.849
GET
https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.woff2?etag=.RIw0pW1pnCkRetxkxDr_6w~~
[HTTP/2 403 Forbidden 12ms]

12:26:52.849
GET
https://liberapay.com/assets/fonts/ubuntu-light-webfont.woff2?etag=.l-7x1Z9urwMB_zSvYLoCzw~~
[HTTP/2 403 Forbidden 14ms]

12:26:52.850
GET
https://liberapay.com/assets/fonts/ubuntu-medium-webfont.woff2?etag=.EbQpDk7pE17X7SWHG2a8cQ~~
[HTTP/2 403 Forbidden 17ms]

12:26:52.851
GET
https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.woff2?v=1.1.7
[HTTP/2 403 Forbidden 17ms]

12:26:52.874 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.woff2?etag=.RIw0pW1pnCkRetxkxDr_6w~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.874 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/fonts/ubuntu-regular-webfont.woff2?etag=.Y59w7DuKv86LeAV3NYPdQg~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.874 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/fonts/ubuntu-light-webfont.woff2?etag=.l-7x1Z9urwMB_zSvYLoCzw~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.875 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/fonts/ubuntu-medium-webfont.woff2?etag=.EbQpDk7pE17X7SWHG2a8cQ~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.875 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.woff2?v=1.1.7. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.889 downloadable font: download failed (font-family: "Glyphicons Halflings" style:normal weight:400 stretch:100 src index:1): bad URI or cross-site access not allowed source: https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.woff2?etag=.RIw0pW1pnCkRetxkxDr_6w~~
12:26:52.890 downloadable font: download failed (font-family: "Ubuntu" style:normal weight:400 stretch:100 src index:1): bad URI or cross-site access not allowed source: https://liberapay.com/assets/fonts/ubuntu-regular-webfont.woff2?etag=.Y59w7DuKv86LeAV3NYPdQg~~
12:26:52.891 downloadable font: download failed (font-family: "Ubuntu" style:normal weight:300 stretch:100 src index:1): bad URI or cross-site access not allowed source: https://liberapay.com/assets/fonts/ubuntu-light-webfont.woff2?etag=.l-7x1Z9urwMB_zSvYLoCzw~~
12:26:52.891 downloadable font: download failed (font-family: "Ubuntu" style:normal weight:500 stretch:100 src index:1): bad URI or cross-site access not allowed source: https://liberapay.com/assets/fonts/ubuntu-medium-webfont.woff2?etag=.EbQpDk7pE17X7SWHG2a8cQ~~
12:26:52.892 downloadable font: download failed (font-family: "ForkAwesome" style:normal weight:400 stretch:100 src index:1): bad URI or cross-site access not allowed source: https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.woff2?v=1.1.7
12:26:52.933
GET
https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.woff?etag=.-idyMn9V2BmDAf24vPyBWA~~
CORS Missing Allow Origin

12:26:52.944
GET
https://liberapay.com/assets/fonts/ubuntu-regular-webfont.woff?etag=.J1ctv4yahIxIlJtapyXlzw~~
CORS Missing Allow Origin

12:26:52.946
GET
https://liberapay.com/assets/fonts/ubuntu-light-webfont.woff?etag=.TLa3cOXnfVguIqskNfrmJA~~
CORS Missing Allow Origin

12:26:52.958
GET
https://liberapay.com/assets/fonts/ubuntu-medium-webfont.woff?etag=.Pmw1RfnKZMw5VqamSnumVg~~
CORS Missing Allow Origin

12:26:52.959
GET
https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.woff?v=1.1.7
CORS Missing Allow Origin

12:26:52.970 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/fonts/ubuntu-regular-webfont.woff?etag=.J1ctv4yahIxIlJtapyXlzw~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.971 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.woff?etag=.-idyMn9V2BmDAf24vPyBWA~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.972 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/fonts/ubuntu-light-webfont.woff?etag=.TLa3cOXnfVguIqskNfrmJA~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.972 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.woff?v=1.1.7. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.974 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/fonts/ubuntu-medium-webfont.woff?etag=.Pmw1RfnKZMw5VqamSnumVg~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:52.975 downloadable font: download failed (font-family: "Ubuntu" style:normal weight:400 stretch:100 src index:2): bad URI or cross-site access not allowed source: https://liberapay.com/assets/fonts/ubuntu-regular-webfont.woff?etag=.J1ctv4yahIxIlJtapyXlzw~~
12:26:52.975 downloadable font: no supported format found (font-family: "Ubuntu" style:normal weight:400 stretch:100 src index:4) source: (end of source list)
12:26:52.975 downloadable font: download failed (font-family: "Glyphicons Halflings" style:normal weight:400 stretch:100 src index:2): bad URI or cross-site access not allowed source: https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.woff?etag=.-idyMn9V2BmDAf24vPyBWA~~
12:26:52.976 downloadable font: download failed (font-family: "Ubuntu" style:normal weight:300 stretch:100 src index:2): bad URI or cross-site access not allowed source: https://liberapay.com/assets/fonts/ubuntu-light-webfont.woff?etag=.TLa3cOXnfVguIqskNfrmJA~~
12:26:52.976 downloadable font: no supported format found (font-family: "Ubuntu" style:normal weight:300 stretch:100 src index:4) source: (end of source list)
12:26:52.976 downloadable font: download failed (font-family: "ForkAwesome" style:normal weight:400 stretch:100 src index:2): bad URI or cross-site access not allowed source: https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.woff?v=1.1.7
12:26:52.977 downloadable font: download failed (font-family: "Ubuntu" style:normal weight:500 stretch:100 src index:2): bad URI or cross-site access not allowed source: https://liberapay.com/assets/fonts/ubuntu-medium-webfont.woff?etag=.Pmw1RfnKZMw5VqamSnumVg~~
12:26:52.977 downloadable font: no supported format found (font-family: "Ubuntu" style:normal weight:500 stretch:100 src index:4) source: (end of source list)
12:26:53.126
GET
https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.ttf?etag=.4Yu_YR8qLkOvwHGqL04VEg~~
CORS Missing Allow Origin

12:26:53.127
GET
https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.ttf?v=1.1.7
CORS Missing Allow Origin

12:26:53.192 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.ttf?v=1.1.7. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:53.192 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.ttf?etag=.4Yu_YR8qLkOvwHGqL04VEg~~. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.

12:26:53.193 downloadable font: download failed (font-family: "ForkAwesome" style:normal weight:400 stretch:100 src index:3): bad URI or cross-site access not allowed source: https://liberapay.com/assets/forkawesome/1.1.7/fonts/forkawesome-webfont.ttf?v=1.1.7
12:26:53.193 downloadable font: no supported format found (font-family: "ForkAwesome" style:normal weight:400 stretch:100 src index:5) source: (end of source list)
12:26:53.193 downloadable font: download failed (font-family: "Glyphicons Halflings" style:normal weight:400 stretch:100 src index:3): bad URI or cross-site access not allowed source: https://liberapay.com/assets/bootstrap/fonts/glyphicons-halflings-regular.ttf?etag=.4Yu_YR8qLkOvwHGqL04VEg~~
12:26:53.193 downloadable font: no supported format found (font-family: "Glyphicons Halflings" style:normal weight:400 stretch:100 src index:5) source: (end of source list)

​```

[progval]

The underlying issue is that I'm getting 403 errors from Cloudflare; for some reason I'm only getting them when assets are fetched from subdomains.

[Changaco]

@progval Can you send me the content of one of those 403 responses from Cloudflare? The IP address your requests are coming from could also help. You can send that information privately if you don't want to post them here, for example via email.

[progval]

<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><link href="/cdn-cgi/styles/challenges.css" rel="stylesheet"></head><body class="no-js"><div class="main-wrapper" role="main"><div class="main-content"><noscript><div id="challenge-error-title"><div class="h2"><span class="icon-wrapper"><div class="heading-icon warning-icon"></div></span><span id="challenge-error-text">Enable JavaScript and cookies to continue</span></div></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '2',cZone: "liberapay.com",cType: 'managed',cNounce: '11035',cRay: '8198d6179f460168',cHash: '37a3a715620af74',cUPMDTk: "\/assets\/fonts\/ubuntu-regular-webfont.woff2?etag=.Y59w7DuKv86LeAV3NYPdQg~~&__cf_chl_tk=s5tf206Zxb2Wbb0dvxNACjJYkTFPDxga1Q_fR2Sb3CY-1697884342-0-gaNycGzNDGU",cFPWv: 'b',cTTimeMs: '1000',cMTimeMs: '0',cTplV: 5,cTplB: 'cf',cK: "visitor-time",fa: "\/assets\/fonts\/ubuntu-regular-webfont.woff2?etag=.Y59w7DuKv86LeAV3NYPdQg~~&__cf_chl_f_tk=s5tf206Zxb2Wbb0dvxNACjJYkTFPDxga1Q_fR2Sb3CY-1697884342-0-gaNycGzNDGU",md: "Xv5inCfchqghDNm2qpn7aMLhyJMGaE1HDO94mMqpkb8-1697884342-0-AU2YyiaiegYr0eu3fLqYWN2OLhLjwRtPnLgYJPslpYnNhmoLbSHqvwcG3g-xU-eR-wra-b5cYAtmfpTVflqTj915Vx-q80wd48FtGXGkOt0Ik7-DnK-E1xIuA5sAU6HMY4_-tPUdLk1S9bec7v7iHpuebZXlj_SuCV0o9dLiKozIBfsRvaco3cFDhQ3eXJEM4Zr40bkCedSNXUkHjq7b863EGEgyzXCH-fxtcMPDcIYkMZK1k8p-NmNXdp59k-no7ueAw-B1mE9R_YDg74LswuagNw3dJthPqFalexUS8NovSVS8gM6AJyFQJ7Wy9yKO3u23UeFWtTanCX_bgoAohjwHRh2eyJ_P5-crbMndGXyJxP7i1crfsOlt3bRdT9xSp6I2g36yBsQ0EqN9im6trOgttNqJPMio3Hb_zK-IGFTlhRHBQd7_gWykDegrBXg0JIwKjdzU6FgR9eHE6PjEIhDdebrDmYB-qC4SWtROhG0hIYXD2xEZ8kHEwFpkHp0kdTK0Ay1zBec-Qujc4LEhP4vdXm_rSgbrDy-aSx4HiPzmoDzrFvo-4coDWk9MAG-EiaEherGUytrLFXHQSwpv5o4EKbAmfQfoK0rIWXRbQyOAY5IrBcfFQn4jqbJbvXmrTM8o7tMPjM2WTre6xJm92IO5W23o0WCdnjqRX51jASI7iDVZI52yxjZ8eUgazTTvXTs8GrN_wruftLazfRi7crfAzdrBRRJ66Yu8vVHtuF0IsBtT8dshLdX3O024Mi8nRlKPEg1qStk4ebpAkBmnPnEPiv5ViVB9FowDKq_6yn254lA5mBho4XclLKNw7kNkz93TpPpSe-9YBUBikQN6N37IKIIbWhv-SqIGIcJYfLdCwlx7872QN8Wgs5CuaVYfDckct60DVh4PaY0FsT3b86i3xGmLL6Rc7SOybjwNukFYXNDi-RjYBejw6uZ5F4F0k3HwitJbT1rBaR2vRVym2KzaVI0Bji_twr8aWJESahO63rQXgmyw2V8xf8i7hwcx2Uhv5ZnjaNH2MMLtrQBGgZ7GI7KFnSRwDP5d_DbzsefVbRpfVVv5zFczQ7gskcSFzgXQhrVvAOXFfOQgehNMCcayqp3NoWrYETln209M7gSnCbMFNE1Mtewr7VQ1MWRoR6yG0LA5CMgGthGIavh0zEK2FzvGKnwBvZYvf8dmRfJoEB9cWGEBKC3hr61uphifjy9wUHkhBO3llwPDK7jqBnxWzBjSVWo58kgBK0ilDiDyK63TOXmLFtIKxrRHSt4GQnrGBTExC_9OpnXg26CLlUUSvfXlcCbB_KoqBSw6c8p9SUEq66eHBGX1Xi7ALWOjwSTer-vum3rQ9Q1bGiJm_NIg6vIcHw13x0NhcYeYLuX7a_JUqkXKLfoZj0H88nx6uTuGtusl_buAXKvGkd-I8FUn7eDQEyV-HJdQj1MMyRJDz4oKQApwBJZYAMaeA53ZvXVE6ymH4ZOjWz6o_bKTU5_DSFVJEoDKUEipjHbC7muMmAutjV-wXDM89lz-h3Kv4j9Y_2uU8OSvwTIkrdo-aNTgsH4srrjQPdFZHz_8uW-Ck5MUW6IjiKwvDd8oE0b5UXJIeQFGxJYNb9kLKHH5nz4k8P--zQmQCCTM8FfUotGKygu3-3zNzM88vHmL6AVdlzTyeoRrC4vvnOjrG8c36ZSrMXB7qz6zWklA1gCBFAD0kINBriyK1liT09N070Kx1pkHuocFuyDtGU1SYKz-ZgFb_jK45AsNc5qVMqIEAQ5v-EUzodOqgzWNAEwaMv_8x3oN8vxePwti1F19AZPgbJ8HGhv9Yerbc043BPNeQ-yaPuqDyvw747sVWnsYImsQBzH_MFLjKrQ-oko-AHWKISRdfHcjtI_fqb1iql9i5xK7alxU6u7UgAwpEnMoesFKTJcLwJIeky1EwgOjPuE4hTscIjGH38m0yhx7JEKMNEVKc1WmdIh14apPSPtTN6WgKJD5bIkmuXpq1BCyLbuTdIm6j2lZ2sXfuwY-AiCYjNniWTebcAWb0PnODzjDCqIFz6fvXMX5Ort5cScOSSFu8vy8tOfCatJcYuMcfkgZx76LRUSI82LX_bVPDAJPc-MXxEzBA5myvPTslPxkSDz7lYkRgLaMEOHJNBbTdoU83L-iY99wqMM9exPCmfshJutusTUhV923Esmoabp4iKdEvPWT7lwbsqvY2OZ6X5i7L3y3OjFpsLNxwLf3S2NM5Zuys4g9CCFF07XKnWMHojDybRWd_fEC77oYA1GIDf6pVG4utLEzwwKgxw_6xT9hze1G5te6wZdomzb35Zh8AIMgVkHGv6Uf8rk7iZvKvhdHUavD1H547s-fL3sIw9ytxvEM-rVNEErrBqCR6xriPLeahY5smunOcJcUioxYd-AjpPRYbUJzZrqhoXdL09by-4BuK2R3Y0_xNANeAna1psso6M5IPVsabfUZo910qcaGGg9nbxugRXf-c7lQs9Vr7y8NX7OPts-IYtGJBT-E7ezqN5P4kx0JM6aILTdjoAYYZSi2Y3g9HAVXh4cStiIcccXd6AaXGTUqxMGbRhZFkKGKdm1C1fc_S9eMoA1d9HXO1MEQN-UF2c3rpomqy0nFQd-R_wCNSy9FBC2nzIDvCLjCvJuCrvjBf6f9XTYo3bl1viJmtAk2kPo3f9HD1dyP8Hb83IcpqL1wysAYw930KtDEU9Rtw048qDCnwYvdnbszyIW2jv4HFKM3LjkxBJKDkiImcXm85TFL5DrGORlfJyZ9vbTqAyPjMfZZOBmbh6n8o_aZA3_-ZV4u87XrVJK_8RPnC-fc4LCRH-C5-c-SJPk8Sc97UllpOn8HoFDKMWIT-3zxACYhmpyAJt2xwu5E5iEjHql5_JVbupczdMxlzGH0yn6KUYHfKYwMkcRHf90Y3rnIiIcSuxtv-eNN4G2axi31rTQZLayItKINi15LxWslsXG_8QpvsT9_o671m0CjkAwmGeChxtE5yYZKKVaVCXz-ZFW478xSu_QEl1zPOEcI2ANmuT6D-AwOeXEKlfhuU5qlAhUKmJ7bOD6qtG1zkuQrKhdhrj3kXZbfPLP7q0gtqieFqgzZgTacUkaAawAgtVMN",cRq: {ru: 'aHR0cHM6Ly9saWJlcmFwYXkuY29tL2Fzc2V0cy9mb250cy91YnVudHUtcmVndWxhci13ZWJmb250LndvZmYyP2V0YWc9Llk1OXc3RHVLdjg2TGVBVjNOWVBkUWd+fg==',ra: 'TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDkuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMTQuMA==',rm: 'R0VU',d: 'vITTxUfIwqvhOH3Pv//pbs34b+lz9pX+7KsW6mt0ysJN6yFeEdjFs9CHE+hzPh2wTn2PqXKWESnfaTzAcTVhs60b/L5pRZ0M/2qBVErJRjNiXWWBOpctAjM/3NKSJhXJlLRb4UecUVZaCy6SMDSjrmm/DJJsmy+s2MYvmE84tGTStsd4NGHisWS3MT+3TXrXzuUpRSjY3GYXgsFlQ4Wi4eWAhvB8SBEkMUyKCOaYtvB4ST2g/OZ0R8UXG4QMV3FHF94c9g/CnRPCM30aiLNN1p/CrkMyOYfUp1qyT24xaZ4J4t2GxNhQE3eJAKvp53aRfoyZdTvzj4FFYz3JbfiHgApCnHX+LFnE4RoA93OMlY0m+RTb+ZifEjqW1wmQZzyPKJck+Qn71o38R3ZW77MV+QvNJCMyRP0doWXhKWGYoZ0abgqyQOnGWvsvSm3xvfzgRg4dTYEgdJyrK7Ut+pU2St6mYG47MJs2/JHgVwIr5RRhrd0qCQhqpUHSEng0Oh5I',t: 'MTY5Nzg4NDM0Mi45ODIwMDA=',cT: Math.floor(Date.now() / 1000),m: 'CxRoZ9QmFbUmxnnE+6X89bI6VCEz9154Z7COm6d8wks=',i1: 'ZViJroVePvhGYVl6MKA+VA==',i2: 'aXTky7oS69aIXk83YK25VA==',zh: 'VE+OZDKUe6EGaNzasZEK+kI38b8mOSkk3EmiY6pWcrg=',uh: 'sflE6DF0Hj48hVa05IUzinquGCjs530fEYwCgVJuwEU=',hh: 'CFOK09z05xp/Qz6aFgF+QxtiZhFlwi7HevrZfk85GEk=',}};var cpo = document.createElement('script');cpo.src = '/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8198d6179f460168';window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;history.replaceState(null, null, "\/assets\/fonts\/ubuntu-regular-webfont.woff2?etag=.Y59w7DuKv86LeAV3NYPdQg~~&__cf_chl_rt_tk=s5tf206Zxb2Wbb0dvxNACjJYkTFPDxga1Q_fR2Sb3CY-1697884342-0-gaNycGzNDGU" + window._cf_chl_opt.cOgUHash);cpo.onload = function() {history.replaceState(null, null, ogU);}}document.getElementsByTagName('head')[0].appendChild(cpo);}());</script></body></html>root@boron:~# c^C

From both 51.159.34.167 and 2001:bc8:6005:1c:208:a2ff:fe0c:6922. They are in a hosting provider's IP ranges, so Cloudflare is rather trigger-happy about them, but here I don't have the option to solve the captcha.

[Changaco]

So the problem is that Cloudflare is letting the initial request for the HTML page go through, but then challenges the sub-requests for the assets. This is unexpected behavior and might be considered a bug in Cloudflare's algorithms.

I've changed the challenge from “Managed” to “JavaScript”. Can you try again to see if that challenge behaves differently?

[progval]

no visible change

[Changaco]

I have now whitelisted your IP addresses. Can you confirm that this workaround is effective?

[progval]

it is

[Changaco]

I've made improvements to the Cloudflare “Firewall rules” for the liberapay.com domain. These improvements have now allowed me to remove almost all the challenges which were solely based on the network the requests come from, including the one on AS12876 (Scaleway) which resulted in the creation of this issue. I've also turned off the firewall rule which challenges requests that use a language subdomain (e.g. fr.liberapay.com), as opposed to the global domain (liberapay.com).

Cloudflare's weird behavior (challenging the sub-requests for static assets instead of the initial request for HTML) remains a concern. I'm leaving this issue open for possible future investigation of that problem.