Reputation: 2539
CORS for reCAPTCHA
I'm working on a site that I want to include Google's reCAPTCHA on.
If I add the following <script> tag to my <head>:
<script crossorigin="anonymous" src='https://www.google.com/recaptcha/api.js'>
</script>
I get the following error:
Access to Script at 'https://www.google.com/recaptcha/api.js' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
Okay, fine, fair enough. I can always disable CORS on Chrome when working on localhost. But the domain is www.google.com. I don't really feel comfortable sending an access-control-allow-origin header to anything that's on google's root domain - that feels like a security hole you could drive a bus through.
How do I get around this with a reasonable production setting for dealing with cross origin concerns here?
Upvotes: 1
Views: 8464
Answers (1)
Reputation: 944052
Remove crossorigin="anonymous".
Your page just needs to run the script. It has no need to ask for elevated privileges so your JS can access more information about it. If it threw an error then you wouldn't have access to Google's servers in order to correct it anyway.
Upvotes: 6
Related Questions
- Google reCAPTCHA, 405 error and CORS issue
- Can't refresh reCaptcha on JQuery Ajax return
- Recaptcha documentation unclear - and cross-site error testing it
- Google's new reCaptcha site verification returns no responce
- does reCaptcha work in localhost?
- reCaptcha issues : No 'Access-Control-Allow-Origin' header is present on the requested resource always shows even I have add header in angularJS
- 'Access-Control-Allow-Origin' error in recaptcha call
- 405 error without Access-Control-Allow-Origin in response from Google reCAPTCHA
- Make google Recaptcha work with special characters in the domain name
- Content security policy blocking requests to *://www.google.com/recaptcha/api