A user reported subtitle download is not working in IINA (XMLRPC API). I debugged this and it is because instead of returning subtitle file contents the response to the GET request contains HTML, a web page with the title Just a moment... and text that says Enable JavaScript and cookies to continue.
This seems to be a part of the Cloudflare challenge system attempting to confirm the request is coming from an actual human.
After reproducing the problem with the XMLRPC API I tested a development version of IINA that uses the REST API and did not encounter the Cloudflare problem. Either I got lucky and Cloudflare didn’t feel like putting up a challenge or the REST API does not have this problem.
This affects all apps using the XML-RPC API, including my Android app.
A web browser can handle the Javascript returned by Cloudflare and ultimately handle the download. I wonder if a WebView would not be able to handle it. Seems an heavy workaround though.
I can confirm that this workaround works (tested on Android with WebView):
If a subtitle download request fails with a 403:
spawn a WebView with the download URL and let Cloudflare do the check
once the check is done, retrieve the cookie for URL from the WebView Cookie Store
now in you app make the sub download request with your favorite http client with these headers:
“Host: hostname of the download URL”
“User-Agent: the exact user-agent of the WebView”
“Cookie: the cookie returned by Cloudflare”
After you have successfully retrieved the Cookie, you can re-use it until it is eventually invalid (not sure if it ever expires). If that’s the case, retrieve a new Cookie with the same method.
I could be wrong, but from a quick read of Cloudflare documentation the workaround may not work in all cases. The idea behind the Cloudflare system is to reduce the number of times visitors are required to prove humanness by solving a CAPTCHA. From the blog post The end of the road for Cloudflare CAPTCHAs:
As a result, we can fine-tune the difficulty of the challenge itself and avoid showing visual puzzles to more than 90% of human requests, while at the same time presenting harder challenges to visitors that exhibit non-human behaviors.
This system is using heuristics to reduce not eliminate the need for a visitor to solve a CAPTCHA.
Cloudflare presented me with one of these puzzles when I was browsing the Open Subtitles web site using Firefox.
If Cloudflare decides for whatever reason to present an interactive challenge, how will the workaround react?