Please don't capture my cursor on your homepage, and if you have to, please don't apply smoothing to is so that it doesn't go where I want it to! I appreciate that it's pretty, but making your site annoying to use can only increase churn

RIP Danya <3

The outage did make me realise I’d be happier watching episodes of House instead

Most services appear to work, aside from actual video streaming for me

YouTube music is 95% broken for me too. UK.

Posted on the other thread as I thought it was pretty interesting:

>Roughly 0.5% odds on him on polymarket before he was announced

EDIT: I was wrong, he was quite down the list! He only appears in the chart because he ultimately won, so higher contenders dropped off.

--

He seemed to hover around 1%, which was the second highest behind Tagle (~20%)

https://polymarket.com/event/who-will-be-the-next-pope?tid=1...

That link isn't showing most of the options. I believe there were at least 10 above him. Just individually look at the lines for Zuppi, Pizzaballa, Sarah, etc.

I don't understand what people were basing that on; the conclave is a completely secret process?

The winning lottery numbers are a secret too before they're drawn; people just like to gamble.

Roughly 0.5% odds on him on polymarket before he was announced

Just had a look - looks like pretty regular/reasonable cloudflare default stuff as far as I can tell. The headers relating to error reporting are the only thing that stand out a little, though it doesn't look unreasonable.

---

Headers

---

HTTP/2 301

date: Fri, 24 Jan 2025 13:59:51 GMT

content-type: text/html

content-length: 167

location: <the website in question>

cache-control: max-age=3600

expires: Fri, 24 Jan 2025 14:59:51 GMT

report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZu4FOa%2ByynaFOXWYlxaePF9KdRQ0qGUJkfm1F1aK2m3VEx6idlvWlb5go%2B08hgSog1zm1zuMobXcVK2BkR4mQD0SEGU%2Bzp2oC6mXPgQs%2FUzvOH7LbqAG96jtf9KNqemV8Q%3D"}],"group":"cf-nel","max_age":604800}

nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}

server: cloudflare

cf-ray: 90708be24810e8fe-LHR

alt-svc: h3=":443"; ma=86400

server-timing: cfL4;desc="?proto=TCP&rtt=59748&min_rtt=41108&rtt_var=43898&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3535&recv_bytes=789&delivery_rate=33797&cwnd=225&unsent_bytes=0&cid=e5052200af7e27a5&ts=145&x=0"

If you are seeing 301s logged on your end that is your site redirecting to another one.

There isn’t a way to see what a referring site did to do the redirect (301 or 302 or even a js redirect) in your logs. All you’ll see is (potentially) the Referer http header.

Presumably just throwing a 403 if they have this referrer is ok and won't have a weird SEO impact or something?

Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect?

Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...

Neither the Origin nor the Referer headers have anything to do with a 301 redirect.

I just tested on firefox and it doesn't send the "Origin" header when using referrerpolicy="no-referrer". It's also not present when navigating using the url bar directly.

Sounds like a security flaw that browsers honor this.

Referer is not a security mechanism.

I didn't say it was. Browsers display an alert when full-screen mode is activated. Full-screen mode isn't a security feature, but the browser does something the website developer can't control so that users can conclude that something fishy isn't going on. I think the ability for one website to hide that they've redirected to another is a vulnerability.

I'm inclined to agree that websites should know when they're the target of a redirect but that has nothing to do with Referer! That header does not work the way so many seem to think it does. As I've laid out elsewhere in this thread, HTTP redirects do not show up in Referer under any circumstances. Right now, one site doesn't have to do anything to "hide" that it's part of a redirect chain, since there's no tracking of that chain to begin with.

No, and the earlier you do the better.

Later it might have

Don't have an affiliate program, and I don't think we've got anything to suggest we will have one in the future (frankly our billing process is pretty bare bones and affiliate stuff isn't something we're looking at right now).

We're a small bot security/captcha company and pretty regularly get various attacks thrown at us - figuring out if somebody is up to something more along those lines was my main concern.

Sure, but it's not their site, it's mine!

And they're not obvious mouse slips like redirecting googl.com -> google.com - they're more of the form <verb>mydomain.com.

I was mostly interested in what the actual play from them here is tbh

Maybe they’ll try to build up traffic to your site from those domains and then push to sell them to you/extort by removing the redirects?

Just feels like such an odd play lol. If they could organically generate leads/traffic that I'd be willing to get extorted over, then surely they would also have the means to start a marketing agency that I'd be willing to pay far more for?