Troubleshooting
Banners or widgets are not displayed on third-party sites
When affiliates embed your banners (<img src=".../affiliate/banner/view/?b=...">) or widgets (<iframe src=".../affiliate/widget/view/...">) on their own sites, the request crosses origins. The module already ships the response headers needed for cross-origin embedding, so the most common reason a banner or widget does not render is that a layer above Magento is intercepting the request before it reaches the application.
CDN or WAF in front of your store
If your store is behind Cloudflare, Sucuri, Akamai, AWS WAF, or any similar service with bot protection, those layers run before the request reaches Magento. When a request comes from an unfamiliar referrer (the affiliate's site), the WAF often returns its own challenge page or a 403 — with restrictive headers attached — and the Magento response never reaches the browser.
Symptoms in the affiliate's browser DevTools Network panel:
- Response status
403with a body that looks like a "Just a moment..." or "Checking your browser" challenge page. cf-mitigated: challengeheader (Cloudflare specifically).- Failure type
net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginfor banner images, or "refused to connect" for widget iframes.
Fix: exempt the affiliate endpoints from bot challenges
Configure your CDN/WAF to skip security checks for the public affiliate URLs. The exemption must cover both the affiliate endpoints and the static assets the widget needs to render correctly inside the iframe (CSS, JavaScript, fonts, product images).
Cloudflare WAF Custom Rule (expression mode):
starts_with(http.request.uri.path, "/affiliate/banner/view") or
starts_with(http.request.uri.path, "/affiliate/widget/view") or
starts_with(http.request.uri.path, "/static/") or
starts_with(http.request.uri.path, "/media/")
Set the Action to Skip and select all WAF components: Super Bot Fight Mode, Browser Integrity Check, Managed rules, Custom rules, Rate limiting, Zone Lockdown.
If the same Cloudflare zone hosts multiple sites and you only want to exempt one, scope the rule by hostname:
http.host eq "your-store.example.com" and (
starts_with(http.request.uri.path, "/affiliate/banner/view") or
starts_with(http.request.uri.path, "/affiliate/widget/view") or
starts_with(http.request.uri.path, "/static/") or
starts_with(http.request.uri.path, "/media/")
)
Without the /static/ and /media/ exemptions, widget iframes may render with broken styles or missing product images, because the iframe's subresource requests get challenged separately and cannot solve a Turnstile challenge as background loads.
For other WAFs (Sucuri, Akamai, AWS WAF, etc.), apply the equivalent path-based bypass rule. The principle is the same: these four URL paths must reach Magento without bot interference.
Browser ad-blockers (banners only)
The URL pattern /affiliate/... matches default rules in EasyList and EasyPrivacy, used by uBlock Origin, AdBlock Plus, AdGuard, Brave Shields, DuckDuckGo Privacy Essentials, and most other content-blocking extensions. Visitors with these extensions installed will see the banner request killed locally with net::ERR_BLOCKED_BY_CLIENT and "Provisional headers are shown" in DevTools — the request never leaves the browser, so no server fix can help.
This is a fundamental limitation of any affiliate banner system on the open web. Affiliates can be advised to whitelist your domain in their own browser, but it cannot be enforced for end visitors. The widget endpoint is less affected, since iframe URLs are usually evaluated against different filter rules than image hotlinks.