scraper-cf challenge index

Validation surfaces for scraper-cf. Each link sits behind a different CF challenge type.

• Turnstile (visible widget)

  Standalone CF Turnstile widget; auto-submits to /api/protected on solve. Solver path: AntiTurnstileTaskProxyless.

  GET /turnstile

• Turnstile (on-demand, dash.cloudflare.com/login shape)

  Login-style form that loads the Turnstile API script in explicit-render mode but mounts the widget only when the user clicks Log in (window.turnstile.render() into a placeholder). At navigation time the DOM has no [data-sitekey], no .cf-turnstile, and no challenges.cloudflare.com iframes — exercises the watchdog path that must observe post-NavigationCompleteEvent mounts.

  GET /turnstile-on-demand

• reCAPTCHA Enterprise (balanced)

  Google reCAPTCHA Enterprise widget (action LOGIN). Server gates on Enterprise assessment score ≥ 0.5 when an API key is configured; falls back to token-only otherwise.

  GET /recaptcha

• reCAPTCHA Enterprise (hard)

  Same widget shape as /recaptcha but a stricter sitekey configured on Google's side and a higher pass threshold (score ≥ 0.7).

  GET /recaptcha-hard

• CF Managed Challenge

  Gated by a WAF Managed Challenge rule — CF picks interactive or invisible based on signals before the worker sees the request.

  GET /cf-managed

• CF Interactive Challenge

  Gated by a WAF Interactive Challenge rule — always renders the visible CF interstitial.

  GET /cf-interactive

• Cross-site OOPIF (single level)

  Outer page embeds an iframe pointing at SAFE_INNER_ORIGIN/safe (different eTLD+1). Mirrors Stripe-SAFE's single cross-site frame; verifies our walker reaches into one OOPIF.

  GET /safe-iframe/single

• Cross-site OOPIF (nested two-level)

  Outer → SAFE_MIDDLE_ORIGIN/m-outer → SAFE_INNER_ORIGIN/safe. Three distinct registrable domains, two cross-site boundaries, two separate OOPIF processes.

  GET /safe-iframe/nested

• Cross-site OOPIF (sandboxed)

  Single cross-site iframe with sandbox="allow-scripts allow-same-origin". Confirms the walker handles iframes that are both cross-site AND sandboxed.

  GET /safe-iframe/sandboxed

External targets

Production third-party sites used to validate the scraper against real-world challenge surfaces.

• Stripe Payment Link

  Real Stripe-hosted Payment Link. Outer (buy.stripe.com) frames js.stripe.com/v3/checkout-inner-origin-frame — same-site here (shared eTLD+1=stripe.com), but uses the same Origin-Agent-Cluster + frame-ancestors model that powers Stripe Elements OOPIFs on customer sites.

  https://buy.stripe.com/dRm9AV2xsbxX3p4cgoaR200

• hCaptcha demo

  hCaptcha's first-party demo page — visible widget bound to a publisher-test sitekey. Useful for validating hCaptcha solver paths (AntiHCaptchaTask) end-to-end against the real challenge surface, distinct from CF Turnstile and reCAPTCHA Enterprise.

  https://accounts.hcaptcha.com/demo

GET /api/health is unprotected and returns { ok: true }.