I have a web, mobile, and desktop application that I’ve recently had to move behind Cloudflare to help prevent a string of recent attacks.
With the website, we allow communities to host an iFrame on their own domain that has oursite.com/?customlogin=something - These iFrames hosted on their own domain allow them to display a custom login page for their own users to see.
Now that this is moved behind Cloudflare, I’ve added a captcha to access the website. These iFrames are now blocked on our external user’s sites until they go to our main site and complete the captcha. The captcha will not display in an iFrame. Only after they complete the captcha on our main site will the iFrame properly display in the iFrame on their own domain.
Is there any way to get around this? Is it possible to still display Cloudflare’s captcha inside of an iframe? The x-frame-options for the capcha seems to be set to sameorigin.