Ultraviolet Cloudflare Turnstile fails (true domain leaked?) ("Verifying you are human" page)

Cloudflare Turnstile fails (true domain leaked?) ("Verifying you are human" page)

Open itschasa opened this issue 11 months ago • 9 comments

will always get stuck on this page:

the captcha doesnt load, if anyone has any other results, please share.

Mar 20 '24 20:03 itschasa

known bug, will keep this issue open for discussion and possible fixes

Apr 20 '24 00:04 Percslol

seems like turnstile still works whilst inside an iframe, so this could be a fixable issue, however, is likely to be a cat and mouse game with captcha providers

Apr 20 '24 21:04 itschasa

I think this is an issue if you are deploying via a known big server provider (e.g. if the provider uses Hetzner), Cloudflare probably just blocks the IPs.

Apr 25 '24 15:04 madeline-yana

i see this in console when a captcha is attempted: [Cloudflare Turnstile] Ignored message from wrong origin: https://*site with captcha*.

maybe turnstile is getting the actual domain of the proxy, and using that to check Message events follow the corrent origin as part of a check? (or just because it uses postMessage to do the challenge)

this might be solvable, if we can find how turnstile is getting the true domain of the proxy

Apr 25 '24 15:04 itschasa

i see this in console when a captcha is attempted: [Cloudflare Turnstile] Ignored message from wrong origin: https://*site with captcha*.

maybe turnstile is getting the actual domain of the proxy, and using that to check Message events follow the corrent origin as part of a check? (or just because it uses postMessage to do the challenge)

this might be solvable, if we can find how turnstile is getting the true domain of the proxy