Feature Request: do not inject styles on cloudflare turnstiles

[chjj]

Assuming the turnstiles introspect on the DOM tree, this is a nasty fingerprinting vector, especially when using a private/custom userstyle.

This shouldn't break anything because userstyles aren't meant for the turnstile anyway.

Detection of a turnstile might be tricky because the turnstiles serve very generic HTML with some JS slop mixed in. That said, you could check for the existence of inline scripts with some cloudflare-specific vars: window._cf_chl_opt, etc. The inline script also always delivers its second-stage payload with some variation of /cdn-cgi/challenge-platform/... AFAICT.

[tophf]

Doesn't seem feasible because styles are applied before site's contents or scripts are loaded (even the embedded script elements in case "instant inject" option is enabled).

[chjj]

Hmmm, is it possible for the extension to inspect HTTP headers for the page before style injection? I'd have to do some more brief reverse engineering, but I suspect the turnstiles might be returning some cloudflare-specific HTTP headers that could be used for detection.

[tophf]

Yep.

[chjj]

It seems a cloudflare turnstile will return a 403 with a cf-mitigated header.

HTTP/2 403
cf-mitigated: challenge
cf-ray: 8b1a152a8c9158ee-JQX

The cf-ray header isn't as important because it seems to be sent even after you pass through the turnstile.

A check like this:

if (response.status === 403 && response.getHeader('cf-mitigated') === 'challenge')
  dontInjectStyles();

Seems like it might be sufficient.

[tophf]

Could you try the test build? I'm not sure just skipping would be useful when you have a global dark mode style and this white page blinds you... Maybe the option should accept a list of styles that are allowed. I've also tried using a safe API chrome.scripting.insertCSS that doesn't expose CSS as an element in DOM, but this API inserts the CSS at the wrong position in the cascade so it doesn't override the styles of the page, https://crbug.com/40237190.