Make `api.js` compatible with Cross-Origin-Embedder-Policy


To integrate with Turnstile the docs suggest ( inserting <script src=""></script>. Unfortunately that does not work well with websites that specify Cross-Origin-Embedder-Policy: require-corp ( as the response headers for the script include neither Acess-Control-Allow-Origin (which would be needed for crossorigin="anonymous") nor Cross-Origin-Resource-Policy.

Would it be possible to include at least one of those headers for api.js?


Developper, this is of upmost importance. Turnstile is currently unusable for anyone using CORS !!!

Hey @dubov94 and @providers3, we’re working on fixing this issue, thanks for raising it to us!


Would it be possible to have an ETA on this BUGFIX ?

My understanding is that your side must include supporting CORS header response, and this look from very high above, quick to implement. But Would appreciate some context for ETA, as I need to make decision if we are moving forward with Turnstile or moving away.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.