XF2 Basic [DigitalPoint] App for Cloudflare 1.7.7

• Added link for info about why each Cloudflare token permission is needed
• Updated deep links into R2 buckets to use new URL endpoint
• Suppress Cloudflare rate limit error when purging URLs from cache when guest page caching is enabled (a very high traffic site could hit API rate limits if there's a zillion posts flowing in at once)
• Better handling of situation where Cloudflare API is down/unavailable
• Cloudflare Workers that are created for the image proxy and unfurl proxy have been rewritten to be ES Modules instead of Service Workers
• Removed "Security -> Privacy Pass Support" setting (it's been deprecated by Cloudflare and is no longer used)

• The Cloudflare Fonts option ID has changed. This addresses that (it's what I get for giving the ability to toggle options that Cloudflare has deemed "beta"... they are subject to change).
• Added a sanity check so if future option IDs change, it won't throw an error (along with not being able to change them). Instead, that option won't change until the ID is updated.

• Completely revamped how the bot management API is handled
• Added Super Bot Fight mode settings as controllable options (options enabled/available to be toggled will ultimately depend on what your Cloudflare plan allows):
  • Likely Automated
  • Definitely Automated
  • Verified Bots
  • Static Resource Protection
  • Optimize For WordPress
  • JavaScript Detections

Better handling of unexpected Cloudflare API changes.

Cloudflare changed API results for bot management, but only for paid plans. This addresses that.

• Added support for new Cloudflare setting: Speed -> Optimization -> Content Optimization -> Cloudflare Fonts
• When using "Easy config", set "Security level" to "Essentially off" (was set to "Medium" before)
• Easy config enables Cloudflare Fonts

IMPORTANT for existing users: New functionality requires 1 additional API permissions in order to use the new function. You can go to your Cloudflare API Tokens, edit the token you have and add the following permission:

• Account.Billing: Read

At this point, you should have a total of 19 permissions for your API token.

• Added sanity check to make sure attachment data exists when using presigned URLs for R2 attachments (helpful in certain cases when using XFMG).
• Added ability to use Token Authentication system for attachments stored in R2 (needs new permission... see above). This only works for zones that are not on the Free tier (which is why the billion permission is needed to check if the zone is on a paid plan or not).
• Update Chart.js to v4.4.0
• All JavaScript has been rewritten to be "native" (does not use jQuery) in preparation for removal of jQuery in XenForo 2.3.
• When using guest page caching, no longer try to fetch a new CSRF token for the user with a quick synchronous AJAX request (using Sec-Fetch-Site HTTP request header [a more modern replacement for CSRF tokens])

Made a fairly substantial internal change to the guest page caching system... it no longer needs to do a quick AJAX request to fetch a CSRF token for guests. Instead we are using the Sec-Fetch-Site HTTP request header which is more or less supported by all browsers now (CSRF tokens aren't really needed anymore).

Was going down the path of trying to do a synchronous AJAX request in native JavaScript (rewriting for XF 2.3) and then trying to handle a bunch of one-off situations where XenForo is injecting CSRF tokens into certain GET requests because they are using GET to mutate user state for some reason... just was getting too kludgey and cumbersome. And since CSRF isn't really needed anymroe these days, I decided to take the cleaner/simpler route (which will also make sites faster). Just use Sec-Fetch-Site instead of CSRF... problem solved.

Maybe it's worthwhile to check out the suggestion that XenForo does away with CSRF in it's core: https://xenforo.com/community/threa...ion-cloudflare-full-html-page-caching.202315/

Click to expand...