Fix –disable-web-security Turnstile regression

erik.alexander.lanni · February 14, 2025, 5:23am

Type

Product improvement

Description

Turnstile shouldn’t break when the Chrome flag –disable-web-security is used.

Benefit

Blind, disabled, and many other people rely on the Chrome flag –disable-web-security to allow Chrome extensions access to images on the webpage. Otherwise, reading these images results in a CORs security exception, since the chrome extension script is considered “loaded” after.

Originally, Turnstile allowed this flag. Now it results in an infinite loop redirect. As of February 4th, 2025, this has been broken.

Repro steps:

Launch chrome with --disable-web-security --user-data-dir="C:\temp\unlock" (Windows)
Every Cloudflare Turnstile site now rejects the browser with an infinite refresh loop.

Topic		Replies	Views
--disable-web-security regression Turnstile	19	205	February 13, 2025
Turnstile Broke My Websites And Now I Can't Login Security	17	2907	November 20, 2022
Infinite turnstile loop on Firefox across multiple sites Turnstile	0	532	May 21, 2024
Cloudflare Turnstile Verification Looping Turnstile	3	1102	March 4, 2025
Tunstile protected Sites aren't working in Chrome Turnstile	5	1080	January 9, 2024

Fix –disable-web-security Turnstile regression

Type

Description

Benefit

Related topics