How to make a cross-domain request when challenge is active?

When Cloudflare challenge is active and user passes the captcha, they receive cf_clearence cookie. But what if the site makes an xhr request to a subdomain which is also under protection?

Say, I have two sites like and On the former one there is a javascript sending xhr request to the latter. The problem is that the browser issues an OPTIONS request without cookies, so it gets blocked along with the original one.

What can I do in such a situation?

Not sure if this work, but depends on what’s triggering the CAPTCHA, you can create a firewall rule like this to bypass certain security features.


Thanks for the tip! Sorry for the long reply, I haven’t had the time to check it yet, but it does seem like a solution.

1 Like

In the end, we had to use allow instead of bypass, since the request got blocked by other rules. That solved part of the problem. Unfortunately, it didn’t work with IP Access Rules which we use in combination with fail2ban, since these rules get evaluated before firewall ones, as I understand it. In that case the problem with OPTIONS request remains.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.