CloudFlare Speed Brain feature can randomly break DotVVM applications

|
Publikováno:

Recently, we have run into an issue on several public-facing sites running on DotVVM 4.0+. When navigating between the pages on the site, we started seeing random errors like this:

request rejected: Pages can not be loaded using Javascript for security reasons. Try refreshing the page to get rid of the error. If you are the developer, you can disable this check by setting DotvvmConfiguration.Security.VerifySecFetchForPage.ExcludeRoute("Default"). [dest: empty, site: none]

Verify Sec-Fetch is one of the security features added in DotVVM 4.0, that shall prevent malicious scripts to interfere with DotVVM when it sends HTTP GET to load the page from the server. This is turned on by default – we did not expect it may cause issues, and for many months, it did not.

However, CloudFlare, a popular service that basically puts a proxy server in front of your site to provide a lot of interesting features, started rolling out their Speed Brain feature. The feature tries to prefetch pages before you click on them to speed up the navigation.

Because the feature is currently in beta, even when it is enabled in CloudFlare portal (which it is by default), it may not be active all the time. This makes the issue occur randomly and it may be tricky to reproduce.

The same issue will probably occur if you use any other prefetching library. DotVVM basically checks whether the page was loaded by the standard HTTP GET request, or whether it was provided by some JavaScript code.

Workaround 1: Disable CloudFlare Speed Brain (or other prefetching library)

The easiest way is to disable this feature in CloudFlare portal.

Disabling CloudFlare Speed Brain for the entire site

Workaround 2: Disable VerifySecFetchForPages in DotVVM configuration

If you plan to use any prefetching technology, you may want to disable this security feature as it does not make sense. You can do so only for particular pages, or for the entire application:

// disable feature for all pages
config.Security.VerifySecFetchForPages.ExcludeForAllRoutes();

// disable feature for a single page
config.Security.VerifySecFetchForPages.ExcludeForRoute("Default");


Please note that these workarounds may be temporary. The feature is still in beta and its behavior may be changed, and we are evaluating whether we can use Content Security Policy or Speculation Rules API to control whether the prefetching on the site is allowed.

Tomáš Herceg
Tomáš Herceg

BIO: 

I am the CEO of RIGANTI, small software development company located in Prague, Czech Republic.

I am a Microsoft Regional Director and Microsoft Most Valuable Professional.

I am the author of DotVVM, an open source .NET-based web framework which lets you build Line-of-Business applications easily and without writing thousands lines of Javascript code.

Ostatní články z kategorie: DotVVM Blog