Subresource integrity/CORS for Turnstile JavaScript link


When you add Turnstile to a site, you add a link to the JS library hosted on Cloudflare,

I’d like to calculate the hash of this and add an integrity value to it, but the hosting site doesn’t have the CORS header for this. Cloudflare, is it possible to add this on your servers? Or is this header omitted intentionally?

I understand the JS code could change and make the check fail, but I’m ok with that. I also understand I could download the code and host it myself (or maybe not, I haven’t tried it), which also might break one day when Cloudflare makes changes.

I guess an alternative is for Cloudflare to public the library as an NPM package designed for self hosting. Is that possible, Cloudflare?

1 Like

Being able to opt-in into subresource integrity would be a very good move from a security POV. Great suggestion.

it’s important to note that Turnstile is not a library, but rather a service that provides CAPTCHA verification functionality. As such, it cannot be used directly with SRI, as SRI is designed to be used with libraries that are included in HTML pages using a tag.

Additionally, even if Turnstile were a library, it would not be possible to use SRI with it because Turnstile is a dynamic service that generates unique CAPTCHA challenges for each request. This means that the script URL for Turnstile will vary depending on the specific request, and it is not possible to use SRI to provide integrity protection for a dynamic URL like this.

Furthermore, the backwards compatibility contract that Turnstile has with its customers only applies to the JavaScript API that is provided by Turnstile, and not to the internal calls that the API makes to the Turnstile service. Therefore, even if you were able to use SRI with Turnstile, it would not provide any guarantees about the backwards compatibility of the service itself.

In conclusion, I would recommend not trying to use SRI with the Turnstile service. Instead, you should rely on the API provided by Turnstile and trust that the service will continue to provide backwards compatibility for its customers. Messing with the script that is provided by Turnstile could break the service and cause problems for your application.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.