The issue is on CloudFlare's side. It is possibly related to lack of Origin: or References: in a POST request that is part of the turnstile workflow.
On a previous occasion, their support staff kept telling people their browsers were unsupported, until the matter was noticed by someone inside CloudFlare, and the issue then got fixed.
This time, their response to Moonchild chalks this down to "suspicious activity" or some custom rule, but does not even mention any kind of browser version limit. No, what is happening (and I've tested this enough to be sure of it) is that they are requiring a behaviour that was only implemented in (for the mozilla codebase) Firefox 70.0, and it is failing for browsers that don't behave in that way.
Let me state it clearly: CloudFlare checks (at least those of "turnstile"?) are rejecting legitimate browsers and users.
CloudFlare may as well have decided they want to reject all but a few browsers - it's their business - but then they should clearly advertise this. Their potential and current customers should be clearly told entering a deal with CloudFlare means they are limiting their user base to those using CloudFlare-approved browsers.
In the past, what happened with their "browser integrity check" appeared to be an error on CloudFlare's side which required such a behaviour (in that case, the Origin: header had to be always present) from all browsers even in fallbacks clearly meant for browsers that did not implement such behaviour. Now is this the case here too with turnstile or has CloudFlare decided to significantly change the purpose of their "protections" to do more than just banning e.g. bots?
This is affecting at least SeaMonkey and Pale Moon.
Sadly comments like [3] are realistic observations here; as I said, it's not the first time this happens. At least the support conversation at [2] isn't full of "your browser is outdated" like [4] from 2022 (when Cloudflare's servers were requiring Origin: on all requests, which I think is also what the hackernews thread at [5] was about).
On a previous occasion, their support staff kept telling people their browsers were unsupported, until the matter was noticed by someone inside CloudFlare, and the issue then got fixed.
This time, their response to Moonchild chalks this down to "suspicious activity" or some custom rule, but does not even mention any kind of browser version limit. No, what is happening (and I've tested this enough to be sure of it) is that they are requiring a behaviour that was only implemented in (for the mozilla codebase) Firefox 70.0, and it is failing for browsers that don't behave in that way.
Let me state it clearly: CloudFlare checks (at least those of "turnstile"?) are rejecting legitimate browsers and users.
CloudFlare may as well have decided they want to reject all but a few browsers - it's their business - but then they should clearly advertise this. Their potential and current customers should be clearly told entering a deal with CloudFlare means they are limiting their user base to those using CloudFlare-approved browsers.
In the past, what happened with their "browser integrity check" appeared to be an error on CloudFlare's side which required such a behaviour (in that case, the Origin: header had to be always present) from all browsers even in fallbacks clearly meant for browsers that did not implement such behaviour. Now is this the case here too with turnstile or has CloudFlare decided to significantly change the purpose of their "protections" to do more than just banning e.g. bots?
This is affecting at least SeaMonkey and Pale Moon.