When you add Turnstile to a site, you add a link to the JS library hosted on Cloudflare,
I’d like to calculate the hash of this and add an integrity value to it, but the hosting site doesn’t have the CORS header for this. Cloudflare, is it possible to add this on your servers? Or is this header omitted intentionally?
I understand the JS code could change and make the check fail, but I’m ok with that. I also understand I could download the code and host it myself (or maybe not, I haven’t tried it), which also might break one day when Cloudflare makes changes.
I guess an alternative is for Cloudflare to public the library as an NPM package designed for self hosting. Is that possible, Cloudflare?
Being able to opt-in into subresource integrity would be a very good move from a security POV. Great suggestion.
it’s important to note that Turnstile is not a library, but rather a service that provides CAPTCHA verification functionality. As such, it cannot be used directly with SRI, as SRI is designed to be used with libraries that are included in HTML pages using a tag.
Additionally, even if Turnstile were a library, it would not be possible to use SRI with it because Turnstile is a dynamic service that generates unique CAPTCHA challenges for each request. This means that the script URL for Turnstile will vary depending on the specific request, and it is not possible to use SRI to provide integrity protection for a dynamic URL like this.
In conclusion, I would recommend not trying to use SRI with the Turnstile service. Instead, you should rely on the API provided by Turnstile and trust that the service will continue to provide backwards compatibility for its customers. Messing with the script that is provided by Turnstile could break the service and cause problems for your application.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.