The Natural Philosopher wrote:

Andy Burns wrote:

the proper tickets iframe doesn't rely on sameorigin

it did wiv me i think

I didn't see any X-* reply headers at all in firefox tools,
interestingly I was just going to use curl to look at the headers a
different way and whaddayaknow? That ****es off cloudflare with the
same error the O/P was getting (and it does give me a sameorigin header)
wonder if cloudflare dislikes the Agent string, has the O/P customised
theirs?


C:\Users\Andycurl -v
https://tickets.nottinghamplayhouse....ginlogout.aspx

* Trying 104.16.235.68...
* TCP_NODELAY set
* Connected to tickets.nottinghamplayhouse.co.uk (104.16.235.68) port
443 (#0)
* schannel: SSL/TLS connection with tickets.nottinghamplayhouse.co.uk
port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 204 bytes...
* schannel: sent initial handshake data: sent 204 bytes
* schannel: SSL/TLS connection with tickets.nottinghamplayhouse.co.uk
port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with tickets.nottinghamplayhouse.co.uk
port 443 (step 2/3)
* schannel: encrypted data got 2707
* schannel: encrypted data buffer: offset 2707 length 4096
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with tickets.nottinghamplayhouse.co.uk
port 443 (step 2/3)
* schannel: encrypted data got 258
* schannel: encrypted data buffer: offset 258 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with tickets.nottinghamplayhouse.co.uk
port 443 (step 3/3)
* schannel: stored credential handle in session cache
GET /nottinghamplayhouse/website/secure/loginlogout.aspx HTTP/1.1
Host: tickets.nottinghamplayhouse.co.uk
User-Agent: curl/7.55.1
Accept: */*

* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 1099
* schannel: encrypted data buffer: offset 1099 length 103424
* schannel: decrypted data length: 1070
* schannel: decrypted data added: 1070
* schannel: decrypted data cached: offset 1070 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 1070 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 1070
* schannel: decrypted data buffer: offset 0 length 102400
HTTP/1.1 403 Forbidden
Date: Tue, 20 Apr 2021 18:45:20 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Cache-Control: private, max-age=0, no-store, no-cache,
must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cfduid=d80cf341cd3b9997a53aa847839cc8e6816189443 20;
expires=Thu, 20-May-21 18:45:20 GMT; path=/;
domain=.tickets.nottinghamplayhouse.co.uk; HttpOnly; SameSite=Lax; Secure
cf-request-id: 099232fa610000065e781ee000000001
Expect-CT: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Set-Cookie:
__cf_bm=c785c8965362555c04f213e502fbd4990e90480b-1618944320-1800-AYRRNE6MkDDfiq17m021F+uVHZBqFkgmFohFQvFZcZWQA5rqy1 V/sJaF4BbS2zluLMcVrBgDMTV9DIvbkodAA6p7v8fMP/3NZ89fYiVRBvhM;
path=/; expires=Tue, 20-Apr-21 19:15:20 GMT;
domain=.tickets.nottinghamplayhouse.co.uk; HttpOnly; Secure; SameSite=None
Strict-Transport-Security: max-age=31536000
Server: cloudflare
CF-RAY: 643087709cf7065e-LHR

Andy Burns wrote:

I didn't see any X-* reply headers at all in firefox tools,
interestingly I was just going to use curl to look at the headers a
different way and whaddayaknow? That ****es off cloudflare with the
same error the O/P was getting (and it does give me a sameorigin header)
wonder if cloudflare dislikes the Agent string, has the O/P customised
theirs?

I'm not really sure what you are asking there.

I'm pretty sure that it is actually my IP address that Cloudflare
doesn't like. Browsing via Opera's VPN works with no issues.

My conclusion so far is that the X- thing is a red herring, and
only triggered by Cloudflare trying to tell me it doesn't like my
IP, but being paradoxically blocked from doing so by Playhouse
website security settings.

Chris
--
Chris J Dixon Nottingham UK
@ChrisJDixon1

Plant amazing Acers.

Chris J Dixon wrote:

I'm not really sure what you are asking there.

All I was saying is that using a browser, cloudflade doesn't block my IP
address, but if I use a command line tool to retrieve the same page, I
get the same 1020 error you did, so there are "other factors" that
cloudflare objects to, as well as IP addr.

One factor might be the UserAgent, so I was asking if you might have
installed a browser add-on to modify your UserAgent string?

I'm pretty sure that it is actually my IP address that Cloudflare
doesn't like. Browsing via Opera's VPN works with no issues.

My conclusion so far is that the X- thing is a red herring

It is, because the X- header definitely doesn't exist on the proper
Spektrix server, only the cloudflare server.

and only triggered by Cloudflare trying to tell me it doesn't like
my IP, but being paradoxically blocked from doing so by Playhouse
website security settings.
Yep, that's about the level of it.

Andy Burns wrote:

All I was saying is that using a browser, cloudflade doesn't block my IP
address, but if I use a command line tool to retrieve the same page, I
get the same 1020 error you did, so there are "other factors" that
cloudflare objects to, as well as IP addr.

One factor might be the UserAgent, so I was asking if you might have
installed a browser add-on to modify your UserAgent string?

Not knowingly. According to
https://www.whatismybrowser.com/detect/what-is-my-user-agent

My string is:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101
Firefox/87.0

Chris
--
Chris J Dixon Nottingham UK
@ChrisJDixon1

Plant amazing Acers.

On 20/04/2021 21:01, Chris J Dixon wrote:
Andy Burns wrote:

All I was saying is that using a browser, cloudflade doesn't block my IP
address, but if I use a command line tool to retrieve the same page, I
get the same 1020 error you did, so there are "other factors" that
cloudflare objects to, as well as IP addr.

One factor might be the UserAgent, so I was asking if you might have
installed a browser add-on to modify your UserAgent string?

Not knowingly. According to
https://www.whatismybrowser.com/detect/what-is-my-user-agent

My string is:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101
Firefox/87.0

Chris


JOOI on the website in question:

1. Have you tried Opera without the VPN turned on?

2. Have you tried Firefox/Edge/Chrome with Tunnelbear/windscribe VPN?


What were the results?

S.

SH wrote:

JOOI on the website in question:

1. Have you tried Opera without the VPN turned on?

Yes, usual error performance.

2. Have you tried Firefox/Edge/Chrome with Tunnelbear/windscribe VPN?

Windscribe allows Firefox access.

Chris
--
Chris J Dixon Nottingham UK
@ChrisJDixon1

Plant amazing Acers.

On 21/04/2021 08:39, Chris J Dixon wrote:
SH wrote:

JOOI on the website in question:

1. Have you tried Opera without the VPN turned on?

Yes, usual error performance.

2. Have you tried Firefox/Edge/Chrome with Tunnelbear/windscribe VPN?

Windscribe allows Firefox access.

Chris


Thats conclusive evidence that there's an IP addr being black listed,
which I think you know what the exact black listed IP is.

It might be worth starting up command prompt and do a:

Tracert (name of problematic website you are trying to access)

You will then get a list of IP's of all the machines on the route taken
between your PC and the remote website. The tracert command does take a
few minutes sometimes to run.

Note that depending on your Router setup, the router's WAN IP address
may not be revealed in the tracert but the Router's LAN address will be
revealed.

So to get the Router's WAN address, you can log into the router and have
a look around there.....

One of those entries should match the blacklisted IP.

You can then see if is your VM router's IP or a machine somewhere within
VM's network.

S.

SH wrote:

Thats conclusive evidence that there's an IP addr being black listed,
which I think you know what the exact black listed IP is.

Yes, I have posted it elsewhere in this thread. It is my current
dynamically allocated Virgin Media IP address.

Chris
--
Chris J Dixon Nottingham UK
@ChrisJDixon1

Plant amazing Acers.