[1vuio0pswjnm7]

"Contrary to what many have said in this forum, our challenge has no logic that relies on the user agent strings."

If that were true then it would be possible to satisfy the challlenge without sending a user agent header. But omitting this header will result in blocking. Perhaps the user agent string is being collected for other commercial purposes, e.g., as part of a "fingerprint" used to support a CDN/cybersecurity services business.

[mstrem]

We expect the user agent string to be present, that yes. We don't have any logic based on it's contents though (except blocking known bad ones) and we don't have any exceptions for the major browsers.

No commercial uses around this.

[dmitrygr]

> We don't have any logic based on it's contents

> blocking known bad ones

These contradict. Blocking "bad ones" is logic. Also such claims are disingenuous without defining what "bad ones" are... For all I know (and it surely seems so), you could be defining "bad ones" is "anything that is not 'the latest chrome without adblock and with javascript on'"

[itsdrewmiller]

that's what the word "except" means that you quoted around.

[dmitrygr]

Yes, and I’m pointing out that phrasing it that way makes the whole statement meaningless. Eg: I don’t eat foods except some that I consider edible. I don’t kill kittens, except those I think are evil. See how it works? Adding a vague “except” to an absolute-sounding sentence destroys its very meaning

[slothsarecool]

Those are different products. BIC prevents requests such as empty UAs or corrupted HTTP requests to pass CF without a challenge.

Turnstile/Challenges per se don't rely on the UA at all.

[1vuio0pswjnm7]

According to a company representative, CF requires a UA header, checks the contents of the UA header and blocks access to websites based on strings contained in the UA header that match "known bad ones" as part of its commercial "bot protection" services.

None of this implies that using a string that is a "known good one" is enough to satisfy the CF challenge. But CF still requires people to send CF a UA string. Right.

It seems that CF wants to mandate exclusive use of certain clients to access the web, "as a service", presumably ones that are preferred by so-called "tech" companies that sell advertising services.

Imagine if this type of restriction was imposed on CF itself and some third party blocked CF's access to the www unless CF used the software chosen by the third party or the third party's clients.

The www is supposed to be a means of accessing public information. From what I've seen many if not most of these websites blocked by CF "bot protection" are in fact comprised of public information.