[Webkit-unassigned] [Bug 279895] New: Cannot visit Cloudflare-protected https://www.rkz.nl/ with Safari When "Hide My IP" and "Cross-Site Tracking" Protections Are Enabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 18 08:01:58 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=279895

            Bug ID: 279895
           Summary: Cannot visit Cloudflare-protected https://www.rkz.nl/
                    with Safari When "Hide My IP" and "Cross-Site
                    Tracking" Protections Are Enabled
           Product: WebKit
           Version: Safari 18
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: HenkPoley at gmail.com

I am unable to access the website of a burn-care hospital (https://www.rkz.nl/) that contains medical information and patient dossiers when using Safari (tested on versions 17 and 18) with both "Hide My IP" and "Cross-Site Tracking" protections enabled. The page remains stuck at loading.

The issue appears to be related to Cloudflare's interaction with Safari's privacy features, particularly when using iCloud Private Relay, and Cross-Site Tracking protection. Other browsers, even those that also use WebKit on iPhone, like Google Chrome, Firefox Focus, and Microsoft Edge, do not experience this problem.

**Steps to Reproduce:**

1. Open Safari (v17 or v18) on macOS or iOS.
2. Ensure that "Hide My IP" (iCloud Private Relay) is ENabled.
3. Navigate to https://www.rkz.nl/.
4. Observe that the page stalls indefinitely.

1. Open Safari (v17 or v18) on macOS or iOS.
2. Ensure that "Hide My IP" (iCloud Private Relay) is DISabled, and "Cross-Site Tracking" protections is ENabled.
3. Navigate to https://www.rkz.nl/.
4. Observe that the page stalls on a (Cloudflare) verification screen with the message "wacht terwijl de aanvraag wordt gecontroleerd..." (English: "wait while the request is being checked") indefinitely.

**Expected Behavior:**

The website should load properly, or at the very least, Safari should provide a prompt to temporarily disable the relevant privacy protections for this specific site.

**Observed Behavior:**

The page does not load, getting stuck on loading, or on a Cloudflare protection screen with no further action. Disabling IP hiding globally in Safari settings still leaves the page stuck on the Cloudflare verification screen, until "Cross-Site Tracking" protection is also disabled, after which the page finally loads.

**Additional Information:**

- The issue is specific to Safari, as other browsers (Google Chrome, Firefox, Microsoft Edge) do not encounter this problem, even when using WebKit-based browsers on iPhone.
- A related issue is that Qualys SSL Labs SSL Server Test cannot connect to the site either, returning the message: "Assessment failed: Unable to connect to the server" (potential Cloudflare blocks on iCloud Private Relay IP ranges). Link: https://www.ssllabs.com/ssltest/analyze.html?d=www.rkz.nl
- Running `nmap -p 443 -sV www.rkz.nl` also results in error messages, indicating the server is returning a "Bad Request" rather than a more informative response like "200 OK" or a redirect.
- Port 80 is closed (not uncommon), HTTP/2 works, but HTTP/3 appears to be stuck.
- I was able to debug this, but I'm asking for someone who would not be able to figure out these steps.

**Related Feedback:**

This issue has also been submitted via Apple Feedback (FB14467023) in July 2024.

**Suggested Action:**

Could you investigate why Safari's privacy protections are causing the website to fail to load, and whether Safari could provide a prompt to temporarily disable these protections for specific trusted sites, such as those protected by Cloudflare?

And maybe I can forward some Cloudflare WAF configuration hints to rkz.nl ? I can imagine that Cloudflare WAF can check traffic coming in through iCloud Private Relay (also hosted on Cloudflare) for unique Apple Account users or something.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240918/1874dcc9/attachment.htm>

More information about the webkit-unassigned mailing list