javascript icon indicating copy to clipboard operation
javascript copied to clipboard
verified publisher icon clerk

Unable to sign-up, turnstile not loaded in cors-friendly way

Open simonschmidt opened this issue 1 year ago • 3 comments

Preliminary Checks

  • [X] I have reviewed the documentation: https://clerk.com/docs
  • [X] I have searched for existing issues: https://github.com/clerk/javascript/issues
  • [X] I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)
  • [X] This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.

Reproduction / Replay Link

n/a

Publishable key

n/a

Description

On a site with cross-origin-embedder-policy: require-corp it is not possible to sign-up using email as turnstile fails to load with:

GET https://FRONTEND_API/cloudflare/turnstile/v0/api.js?render=explicit&_clerk_js_version=4.68.1 net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200 (OK)

Reproduce

  1. Ensure site has cross-origin policy headers set
  2. Bring up the sign-in popup, e.g. Clerk.openSignIn()
  3. Click "Sign up"
  4. Enter valid email address and password
  5. Click "Continue"

See error:

Sign up unsuccessful due to failed bot validation. Please refresh the page to try again or reach out to support for more assistance.

Workaround

Manually add a script tag with crossorigin="anonymous" attribute, this works because the captcha loader checks if window.turnstile exists and if so does not try to load it again.

Potential fix

I think it can be fixed by passing in crossOrigin: 'anonymous' in captcha.ts as that should do the same thing as the workaround.

Environment

n/a

simonschmidt avatar Jan 09 '24 15:01 simonschmidt

Hello 👋

We currently close issues after 40 days of inactivity. It's been 30 days since the last update here. If we missed this issue, please reply here. Otherwise, we'll close this issue in 10 days.

As a friendly reminder: The best way to see an issue fixed is to open a pull request. If you're not sure how to do that, please check out our contributing guide.

Thanks for being a part of the Clerk community! 🙏

clerk-cookie avatar Feb 29 '24 00:02 clerk-cookie

Bump

simonschmidt avatar Feb 29 '24 09:02 simonschmidt

So sorry @simonschmidt - something happened with our labeler here that got it messed up. We have this in our backlog and are planning to address!

jescalan avatar Mar 19 '24 20:03 jescalan