Allow read access to documentation

[mk-pmb]

One more step
Please complete the security check to access eslint.org

I know, Cloudflare is all the hype. May I please read the docs anyway, without having to get Google's permission first? It's none of Google's business when and where I'm trying to read about which eslint rule.

Update: Alternatively, could you redirect to the appropriate markdown file here on Github? They're bold enough to dare and let me read 'em. Or at least add the link to the captcha page?

[ilyavolodin]

Sorry, I have never seen this before. How can this be reproduced? If google somehow requests you to complete security check to just see our pages, I think we might have to rethink this whole https through Couldflare.

[mk-pmb]

Sorry, I have never seen this before.

No problem, here's a screenshot (taken from another domain but it's generic)

How can this be reproduced?

Just request the page from any IP that cloudflare doesn't like. This includes most TOR exit nodes so TOR probably is the easiest approach to see it.

If google somehow requests you to complete security check to just see our pages,

Actually it's Cloudflare. They just happen to use google captchas most of the time. Some fellow webmaster who's also a Cloudflare victim found an option for his domain to just configure it less paranoid and still use CF for whatever supposed benefits.

I think we might have to rethink this whole https through Couldflare.

If you do, also consider these other reasons why not to use Cloudflare. :-)

[not-an-aardvark]

This is probably part of Cloudflare's anti-DDoS measures when it detects an unusual amount of traffic to a site from a particular IP. I think we can configure the site on Cloudflare to loosen/turn off spam protection.

[mk-pmb]

to loosen/turn off spam protection.

If spam protection is the problem, I suggest whitelisting HTTP GET requests and fixing any script that saves user input submitted via GET.

[not-an-aardvark]

This is a static site, so I think all requests are GET requests. We haven't actually had any problems with spam in the past -- I think this is just happening based on Cloudflare's default settings.

[platinumazure]

Do we want to make a change here?

[mk-pmb]

As long as you're still using Cloudflare, please configure it more sensibly: Not everything that has an @ in it is an email address. The timeline on https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes is rather useless when all package names are replaced with [email protected], and I can't see a good reason why disclosure of this information should be limited to people who volonteer to execute of some random blob of JS in their browser.

Update: Found the uncensored version here on Github. The existence of the uncensored version here, makes the censoring on the easy-to-find site look even more like an accident. I hope you do understand all the tools you use, and have reasons that just aren't obvious to me.

[not-an-aardvark]

@kborchers Can we turn off the "Email Address Obfuscation" Cloudflare feature on eslint.org? It seems to be resulting in some false positives. The setting seems to be under "Scrape Shield", described here.

It would also be nice to turn the ratelimiting down a few notches since it seems to be causing problems for a few people, although I'm not sure exactly how that works.

Thanks!

[kborchers]

Email obfuscation has been removed. I am not aware of any rate limiting.

[not-an-aardvark]

Great, thank you!

[kaicataldo]

Is this still an issue?

[mk-pmb]

I'll do some sampling over the next few days. Right now via my current circuit I can see the rules docs.

[mk-pmb]

Looking good so far. 👍