WAF Challenge for scripts

What is the name of the domain?


What is the issue you’re encountering

Preflight CORS requests fail interactive challenge

What steps have you taken to resolve the issue?


What are the steps to reproduce the issue?

  1. pass an interactive challenge on a domain
  2. go to another domain website that loads resources from the initial domain
  3. Preflight CORS request will fail because the interactive challenge is in place and preflight requests do not include cookies (like the one CF sets to remember that this browser has passed the challenge)

Hi there,

As per: Challenges · Cloudflare Web Application Firewall (WAF) docs

Cross-origin resource sharing (CORS) preflight requests, or OPTIONS, exclude user credentials that include cookies. As a result, the cf_clearance cookie will not be sent with the request, causing it to fail to bypass a challenge page (non-interactive, managed, or interactive challenge).

Challenge will be under example.com/cdn-cgi/challenge-platform/
See: /cdn-cgi/ endpoint · Cloudflare Fundamentals docs