Make `api.js` compatible with Cross-Origin-Embedder-Policy

Hi,

To integrate with Turnstile the docs suggest (https://developers.cloudflare.com/turnstile/get-started/#add-the-turnstile-widget-to-your-site) inserting <script src="https://challenges.cloudflare.com/turnstile/v0/api.js"></script>. Unfortunately that does not work well with websites that specify Cross-Origin-Embedder-Policy: require-corp (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives) as the response headers for the script include neither Acess-Control-Allow-Origin (which would be needed for crossorigin="anonymous") nor Cross-Origin-Resource-Policy.

Would it be possible to include at least one of those headers for api.js?

3 Likes

Developper, this is of upmost importance. Turnstile is currently unusable for anyone using CORS !!!

Hey @dubov94 and @providers3, we’re working on fixing this issue, thanks for raising it to us!

2 Likes

Would it be possible to have an ETA on this BUGFIX ?

My understanding is that your side must include supporting CORS header response, and this look from very high above, quick to implement. But Would appreciate some context for ETA, as I need to make decision if we are moving forward with Turnstile or moving away.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.