Information about cookies

We use cookies to analyze our traffic, personalize content and ads, and to provide some social media features. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services.

Edit options

Information about cookies

We use cookies to analyze our traffic, personalize content and ads, and to provide some social media features. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services.

Choose which cookies you want to enable

Necessary cookies Always allowed

Necessary cookies are essential and maintain information based on your activity on our site, like remembering your signed in account, selection of your language, or products added to the shopping cart. The website cannot work properly without these cookies.

Google Analytics

We use these cookies to measure, collect, analyse and report how users interact with our sites to better understand their behavior. Thanks to this, we can improve the site and provide better experience. The analytics service is provided by Google Inc.

Google Ads

We use these cookies to measure conversions from our advertisement and banners distributed via Google Ads. This allows us to better target the ads and make them more relevant to you.

Facebook Pixel

We use these cookies to measure conversions from our advertisement and banners distributed via Facebook. This allows us to better target the ads and make them more relevant to you.

Smartlook

We use these cookies to measure, collect, analyse and report how users interact with our sites to better understand their behavior. Thanks to this, we can improve the site and provide better experience. The analytics service is provided by Smartlook.

CloudFlare Speed Brain feature can randomly break DotVVM applications

Author:
|
Publish date:

Recently, we have run into an issue on several public-facing sites running on DotVVM 4.0+. When navigating between the pages on the site, we started seeing random errors like this:

request rejected: Pages can not be loaded using Javascript for security reasons. Try refreshing the page to get rid of the error. If you are the developer, you can disable this check by setting DotvvmConfiguration.Security.VerifySecFetchForPage.ExcludeRoute("Default"). [dest: empty, site: none]

Verify Sec-Fetch is one of the security features added in DotVVM 4.0, that shall prevent malicious scripts to interfere with DotVVM when it sends HTTP GET to load the page from the server. This is turned on by default – we did not expect it may cause issues, and for many months, it did not.

However, CloudFlare, a popular service that basically puts a proxy server in front of your site to provide a lot of interesting features, started rolling out their Speed Brain feature. The feature tries to prefetch pages before you click on them to speed up the navigation.

Because the feature is currently in beta, even when it is enabled in CloudFlare portal (which it is by default), it may not be active all the time. This makes the issue occur randomly and it may be tricky to reproduce.

The same issue will probably occur if you use any other prefetching library. DotVVM basically checks whether the page was loaded by the standard HTTP GET request, or whether it was provided by some JavaScript code.

Workaround 1: Disable CloudFlare Speed Brain (or other prefetching library)

The easiest way is to disable this feature in CloudFlare portal.

Disabling CloudFlare Speed Brain for the entire site

Workaround 2: Disable VerifySecFetchForPages in DotVVM configuration

If you plan to use any prefetching technology, you may want to disable this security feature as it does not make sense. You can do so only for particular pages, or for the entire application:

// disable feature for all pages
config.Security.VerifySecFetchForPages.ExcludeForAllRoutes();

// disable feature for a single page
config.Security.VerifySecFetchForPages.ExcludeForRoute("Default");


Please note that these workarounds may be temporary. The feature is still in beta and its behavior may be changed, and we are evaluating whether we can use Content Security Policy or Speculation Rules API to control whether the prefetching on the site is allowed.

Tomáš Herceg
Tomáš Herceg

BIO: 

I am the CEO of RIGANTI, small software development company located in Prague, Czech Republic.

I am a Microsoft Regional Director and Microsoft Most Valuable Professional.

I am the author of DotVVM, an open source .NET-based web framework which lets you build Line-of-Business applications easily and without writing thousands lines of Javascript code.

Source: https://www.dotvvm.com/blog/116/CloudFlare-Speed-Brain-feature-can-randomly-break-DotVVM-applications
Others blog posts from category: DotVVM Blog