Warning: cloudflare enabled Speculation rules API

[datakick]

Hi everyone, 

I just wanted to raise your attention to the fact that cloudflare recently enabled Speculation Rules API for all plans.

This functionality is designed to improve browsing speed by aggressively prefetching potential future assets/pages etc.

However, these prefetch requests can be quite dangerous sometimes.

Example: I'm in back office modules pages, and I click on 'Uninstall module' button. The confirmation dialog is displayed to ask if I'm sure.

But the question is irrelevant - because of this new prefetch functionality, your browser already sent a request to your server to prefetch the response for the uninstall action url. The module is already uninstalled 

You can see the request in network tab. Even though claudflare responded with 503 error code (meaning the prefetch response will be ignored by browser), the request still made it to your server, and action was executed. 

If you click 'OK', thirty bees will send the actual request, and it will actually fails with error message "This module has already been uninstalled"

 

That's nice, isn't it.

The uninstall/install module buttons are not the only one that are impacted. For example, 'delete' or 'approve' or 'send' buttons in lists in back office, etc...

It can also impact front office, most likely -- browser can automatically add product to a cart because it believes that user will click on the "Add to cart" button soon, so better be prepared for that... right.

It's quite dangerous optimization. It's true that if thirty bees used POST instead of GET requests to implement these kind of actions, this situation could not happen. But we can't really change that.

We will look into a way to prevent/mitigate this problem. Fortunately, browser is sending some HTTP headers that we can use to determine if request is a regular or prefetch, so we can use that to prevent this (hopefully)

But until a fix is implemented, I advice you to disable this new prefetch optimization in your cloudflare dashboard. And to be sure, maybe even after that 🙂

[wakabayashi]

@datakick Thanks for this post!! I saw some strange setting a few days ago in cloudflare. It's called "Speed Brain". Is this the setting you are talking about? Or where is the exact setting you are talking about?

30 minutes ago, datakick said:

It can also impact front office, most likely -- browser can automatically add product to a cart because it believes that user will click on the "Add to cart" button soon, so better be prepared for that... right.

Oh that does maybe exaplain, why some of my customer see the "This cart was already used" error. I have the feeling that the request is sent two times. And now it sounds very likely that my own code sends it automatically by a "fake click" and the cloudflare system could do it too. 

To me this feature sounds like complete bullshit. It's way too risky.

[datakick]

32 minutes ago, wakabayashi said:

It's called "Speed Brain". Is this the setting you are talking about?

Yes, that's the one. Deactivate this

32 minutes ago, wakabayashi said:

To me this feature sounds like complete bullshit. It's way too risky.

It would work nicely on websites that follow REST principles, and don't have side effects on GET requests.

But on sites that perform side effects on GET requests, it's very dangerous. It's stupid that in thirty bees you can 'delete' a record by simply writing url into url address tab and hit enter.

[theMerchantDev]

Is there some positive aspect of using Cloudflare with TB?

[the.rampage.rado]

20 minutes ago, theMerchantDev said:

Is there some positive aspect of using Cloudflare with TB?

One more place where you forget to clean the cache from when troubleshooting. 😄 😄 😄

Just joking. Of course if your site has thousands of visitors a day it will help, also it is useful as a first measure if somebody is trying to bring your site down. If your host is fast and your cache is working you might not see a big improvement in speed but for big sites it's a must.

[datakick]

37 minutes ago, theMerchantDev said:

Is there some positive aspect of using Cloudflare with TB?

Yes, of course.

1. caching -- cloudflare is a great CDN network that can cache your static assets (images, css, js, video,...) and deliver it very fast. This can take a lot of stress off your server, freeing resources for PHP and DB processes. So even cheaper server can handle a lot requests
2. world-wide -- since cloudflare has many data centers all over the world, the (cached) content is delivered fast everywhere. If you sell world-wide, this can be quite difference -- visitors from Australia can access your server located in Frankfurt almost as fast as visitors from Munich.
3. security -- cloudflare has nice security features that you can enable/disable at will -- quite useful during attacks on your server
4. free SSL without any hassle -- I know you can easily generate Let's Encrypt SSL certificates, but even that sometimes fails and admin has to attend to it. With cloudflare it's completely without any problems
5. IP address privacy -- I like the fact that you can hide your server IP address from outside world
6. geolocation for free -- cloudflare sends geolocation https headers that you can use to determine country of your visitors. You can do the same with maxmind geoip module, but then you need to keep the IP database up-to-date. With cloudflare, you have that accurate and for free. Here's my module that can utilize this information: https://store.getdatakick.com/en/modules/cloudflare-geoip

27 minutes ago, the.rampage.rado said:

One more place where you forget to clean the cache from when troubleshooting.

Yeah, that's true. I made a module to automatically purge cloudflare cache when you clean thirty bees cache, so that helps: https://store.getdatakick.com/en/modules/cloudflare-cache-purger

 

[DRMasterChief]

On 10/7/2024 at 12:07 PM, datakick said:

.... It's stupid that in thirty bees you can 'delete' a record by simply writing url into url address tab and hit enter.

WTF?  please explain.  How can we solve this?

[datakick]

19 minutes ago, DRMasterChief said:

WTF?  please explain. 

Oh yeah, it's funny. And sad. Mostly sad. Not funny at all, actually.

You can try it yourself (on a testing environment, please).

For example, view any order, and change vieworder in url bar to deleteorder

https://domain.com/admin-dev/index.php?controller=AdminOrders&id_order=3&vieworder&token=<token>

https://domain.com/admin-dev/index.php?controller=AdminOrders&id_order=3&deleteorder&token=<token>

And hit enter. Order is deleted. 

This is how Delete button in list works now. It is simple GET request, guarded by confirmation popup. But when prefetching is enabled, the browser calls this GET url before you hit confirm.

19 minutes ago, DRMasterChief said:

How can we solve this?

This particular problem can be fixed by fixing HelperList, and sending post ajax request instead. That would, probably, break a lot things, integration with third party modules, etc. You know, backwards compatiblity.

[DRMasterChief]

Thanks for the explanation. So this is only important in the back office or for people with access to it. 'Normal' customers and visitors can't do anything with it?

[wakabayashi]

40 minutes ago, DRMasterChief said:

Thanks for the explanation. So this is only important in the back office or for people with access to it. 'Normal' customers and visitors can't do anything with it?

Normal customers can't call backoffice controller. But it doesn't necessairly mean, that you don't have issues on the FO. If you are using cloudflare, I would just deactivate it for now. I have done it and everything works fine again.