Comment Re:Privacy nightmare (Score 1) 87
well, telling that cloudflare is a XSS is a little too much!
they do not care about any of the site data, they only care about their metrics and those all anonymized
i understand, but i work for one of those sites... and no, we can't expose one part without cloudflare, the few forgotten urls/sites not protected by cloudflare are quickly found down either to high load (from all the bots) or down due to some attack
you can have your own WAF and security team trying to do the same as cloudflare, but they actually work very well and are not expensive
i went to check, i allow javascripts from cloudflare.com, cloudflarestream.com, deny from cloudflareinsights.com as this is just performance metrics and less important. I also allow iframes from the first 2. That is all. you can probably try to only allow the challenge.cloudflare.com it is probably enough to pass the captcha, even if it detects you as a bot due not running the remaining scripts