Missing Cross-Origin Resource Policy (CORP) response header

Dear All,

As of today, Cloudflare Turnstile does not have the Cross-Origin Resource Policy (CORP) response header which leads the same error as described in Make `api.js` compatible with Cross-Origin-Embedder-Policy

Unfortunately the solution (Make `api.js` compatible with Cross-Origin-Embedder-Policy - #3 by mdemoura) is not in place.

Do you have any update?

/cc @mdemoura

Best regards,

1 Like

Were having this issue as well. Im not sure how anyone could use Turnstile without CORS headers added? We have no way of detecting the challenge error from Cloudflare and showing the user the challenge.

Same problem when these headers are set:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

Currently I’m using FFMPEG.wasm and these headers are mandatory to use, because without them, SharedArrayBuffer could not be used.

1 Like

We’ve pushed out an update, do you still observe this issue?

Thanks, it seems to be okay now, but users still had to clear browser cache since the challenge file had been cached for a year (max-age=31536000 ).

Seems to be working now, thanks so much @mdemoura!