Make `api.js` compatible with Cross-Origin-Embedder-Policy

Hi,

To integrate with Turnstile the docs suggest (https://developers.cloudflare.com/turnstile/get-started/#add-the-turnstile-widget-to-your-site) inserting <script src="https://challenges.cloudflare.com/turnstile/v0/api.js"></script>. Unfortunately that does not work well with websites that specify Cross-Origin-Embedder-Policy: require-corp (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives) as the response headers for the script include neither Acess-Control-Allow-Origin (which would be needed for crossorigin="anonymous") nor Cross-Origin-Resource-Policy.

Would it be possible to include at least one of those headers for api.js?

1 Like