Drupal has a bot protection that triggers in a base Firefox with only fingerprinting resistance enabled. What's particularly annoying about this, is that due to the Firefox protections against fingerprinting and tracking breaking the cross-domain scripting that drupal is relying on, not only does the bot detection JS challenge fallback now break (last year it used to at least render and allow you through, but with repeated prompting every X page clicks) but the "report an issue" feedback is also blocked - so likely Drupal would have no idea how many people were impacted since no one can usefully complain. If anything blocked users just get rolled into the "checkout how many bots we blocked" stats.
There is also an if-all-else fails prompt to email help@drupal.org - I did try this once on a blocked machine, and got:
connect to smtp4.osuosl.org[140.211.166.137]:25: Connection timed out
Now, enabling fingerprinting in Firefox (or using Chrome) does solve this (if those are options for the user), but it is not at all obvious from what happens to the website, which is that browsing fails after 2nd page load, with new page loads being restricted to once every half hour or so, and a full-page error with no obvious functionality.
It makes the site completely unusable. Even getting to pages on subjects like sales, security updates, support, basically anything, is impossible.
And yes, I'm sure this is only blocking a small number of users compared to the large number of bots it's blocking. The problem with measures like this though, is the impact of false positives is far higher than false negatives. Having escape valves could be useful.. for example at least letting people hit static resources to check for security updates or download critical releases - or offering a less-broken bot challenge that would work due to being drupal.org hosted/proxied instead of cross-site scripting.
Active
3.0
Code