For me, this is why it makes sense: customers on Cloudflare signup (at least in part) for Cloudflare to protect them against attacks.
Cloudflare is all about changing the "truth". When your site is behind Cloudflare, they block many requests to your site. The lock in the browser can be lies. Cloudflare is decrypting that content - and if the site owner hasn't setup TLS between Cloudflare and the backend, it's being re-transmitted over the internet unencrypted. On paid plans, Cloudflare will compress images and swap in their version. Cloudflare will compress an uncompressed response before returning it. Cloudflare will take the HTML returned by your backend and obfuscate any email addresses in that HTML before sending it along to the browser.
Your server returns a page with evil-polyfill/bad.js and Cloudflare inspects the HTML and rewrites it to say good-polyfill/good.js
You might not want this behavior and you can shut it off in Cloudflare, but it seems like a reasonable default given that customers have signed up for a product meant to protect them against attacks. Cloudflare has never been about passing back the raw HTML it receives from the backend or passing along the raw requests it receives from browsers.
My question is when does cloudflare starts to inject ads into my content?
Is it “shots fired” situation?
Because you know bullies and other bad people start testing ground to see what they can get away with. That is why you slap them hard and quick on the first attempt right away so they see that they cannot fool around.
So I am asking can it be we have to say - well yeah technically they are right - but stop right there doing that and never do it again!
They could make terms that they don’t serve vulnerable things from their cache and it is up for the customer to update or fix it - but they shouldn’t overwrite stuff, period.
Who is the "we" here? If you're a Cloudflare customer, you're probably glad to have Cloudflare automatically defend your website against supply-chain attacks like this: after all, security is one of their selling points.
when does cloudflare starts to inject ads into my content
You content, as in, you the developer who is making a website, and has set up Cloudflare in front of your website? Presumably they wouldn't inject ads into your website, or else you'd stop using Cloudflare: just change the nameservers in DNS to point to someone else.
Cloudflare's primary raison d'être is messing with the response they serve to users - to perform caching, to inject CAPTCHAs when they detect a DDoS attack, etc.
If you don't trust Cloudflare to not abuse this to inject ads, stop using Cloudflare.
They can mess with response to make redirects/checks before my content is served, but my content is mine they should only cache it and that is it.
If they serve ads on their captcha or some redirect I'd say well it is not nice - but for me fundamental difference is messing with my content even in a good faith - send me a notification an email or stop serving my content if it is active malware but don't change it.
If you own a website and you really think this is a slippery slope, that it crosses some line in your sandpit, you can stop using Cloudflare.
But worrying about ad injection off the back of a legit good-guy action seems like an overreaction. They've always been able to alter the websites they serve. They do frequently to optimise and this seems like a very benign extension of that.
Cloudflare is all about changing the "truth". When your site is behind Cloudflare, they block many requests to your site. The lock in the browser can be lies. Cloudflare is decrypting that content - and if the site owner hasn't setup TLS between Cloudflare and the backend, it's being re-transmitted over the internet unencrypted. On paid plans, Cloudflare will compress images and swap in their version. Cloudflare will compress an uncompressed response before returning it. Cloudflare will take the HTML returned by your backend and obfuscate any email addresses in that HTML before sending it along to the browser.
Your server returns a page with evil-polyfill/bad.js and Cloudflare inspects the HTML and rewrites it to say good-polyfill/good.js
You might not want this behavior and you can shut it off in Cloudflare, but it seems like a reasonable default given that customers have signed up for a product meant to protect them against attacks. Cloudflare has never been about passing back the raw HTML it receives from the backend or passing along the raw requests it receives from browsers.