Mar 18, 2025 09:00:00

Cloudflare's infinite loop problem: developers claim they were forced to sign excessive non-disclosure agreements; Cloudflare responds

The developer of Pale Moon reported that Cloudflare, which had been ignoring inquiries from browser developers for a long time about the ongoing problem of Cloudflare's browser validation rejecting access when using browsers such as Pale Moon, has finally taken action. However, the developer claims that Cloudflare is asking developers to sign a very broad non-disclosure agreement (NDA), which has created a new problem of stalling the resolution of the problem.

CloudFlare: summary and status - Pale Moon forum

https://forum.palemon.org/viewtopic.php?t=32127

Cloudflare asks browser devs to sign insane NDAs before fixing browser blocking | Hacker News
https://news.ycombinator.com/item?id=43376064

The origin of this series of problems is Cloudflare's 'infinite verification loop problem' that occurred in non-mainstream browsers such as Pale Moon in late January 2025. Pale Moon has addressed this issue by implementing two updates, which caused the verification to continue forever in some browsers due to Cloudflare changing the CAPTCHA script, but each time a new problem occurs.

This is not the first time that this problem has occurred, with similar issues occurring in 2022. In response to this type of problem occurring periodically, the non-mainstream browser community has contacted Cloudflare requesting a fundamental solution, but Cloudflare has not responded.

Cloudflare is blocking minor browsers, Cloudflare promises to investigate but has not heard anything back - GIGAZINE

Moonchild, the developer of Pale Moon, reported on a user forum that Cloudflare had finally responded on March 15, 2025. According to Moonchild, the first contact was a private message sent to Moonchild by Cloudflare product manager Michael Tremante on March 4.

To speed up communication, Moonchild suggested communicating via mailing list or Discord, but Cloudflare said it wanted to take the lead and made no specific proposals, so communication was slow.

Nevertheless, after three rounds of message exchanges, it was discovered that the bug was related to two JavaScript functions and CSP (Content Security Policy) , but it was not explained which functions specifically or what part of the CSP was causing the problem.

Instead of continuing the discussions, Cloudflare sent Moonchild a form for what it called an 'overly broad and general non-disclosure agreement (NDA).'

Moonchild said of the NDA, 'It's worth noting that while the proposed NDA is intended to 'speed things up,' it appears to be used to unnecessarily slow things down at the moment. We can't sign a comprehensive NDA that could violate EU regulations or local laws or impede the development of Pale Moon.' He accused Cloudflare of dangling an unreasonable non-disclosure agreement as a slow-walk tactic.

Meanwhile, a user claiming to be Tremante himself appeared on a Hacker News thread that covered the forum report and refuted Moonchild's claims, writing that when Cloudflare sent the NDA, they told him it 'wasn't necessarily required' and simply sent a standard NDA to expedite the process.

Tremante also pointed out that some of the issues with Pale Moon were due to a lack of proper support for CSP, that the company could not easily relax its check requirements to prevent abuse by bot developers, and that the forum post about targeting specific browsers was not true. 'To address this long-term issue, we are discussing internally a program that would allow browser developers to communicate directly with our team, and we hope to have something to share with the browser developer community soon,' he said.