Cloudflare Turnstile fails (true domain leaked?) ("Verifying you are human" page)

[itschasa]

will always get stuck on this page:

the captcha doesnt load, if anyone has any other results, please share.

[Percslol]

known bug, will keep this issue open for discussion and possible fixes

[itschasa]

seems like turnstile still works whilst inside an iframe, so this could be a fixable issue, however, is likely to be a cat and mouse game with captcha providers

[madeline-yana]

I think this is an issue if you are deploying via a known big server provider (e.g. if the provider uses Hetzner), Cloudflare probably just blocks the IPs.

[itschasa]

i see this in console when a captcha is attempted:
[Cloudflare Turnstile] Ignored message from wrong origin: https://*site with captcha*.

maybe turnstile is getting the actual domain of the proxy, and using that to check Message events follow the corrent origin as part of a check? (or just because it uses postMessage to do the challenge)

this might be solvable, if we can find how turnstile is getting the true domain of the proxy

[Percslol]

i see this in console when a captcha is attempted: [Cloudflare Turnstile] Ignored message from wrong origin: https://*site with captcha*.

maybe turnstile is getting the actual domain of the proxy, and using that to check Message events follow the corrent origin as part of a check? (or just because it uses postMessage to do the challenge)

this might be solvable, if we can find how turnstile is getting the true domain of the proxy

yeah i just checked this, seems to be reproducible

fixing this might also solve #128

[Percslol]

yeah the iframe is sending the wrong location in the post message

[Percslol]

[itschasa]

yeah the iframe is sending the wrong location in the post message

would this be due to a bad rewrite of the captcha's js? they are heavily obfuscated so it'd make sense

[itschasa]

overriding the origin might need to be changed

Ultraviolet/src/client/message.js

Line 105 in 1d38959

overrideMessageOrigin() {