search

FriendlyCaptcha / friendly-challenge

The widget and docs for the proof of work challenge used in Friendly Captcha. Protect your websites and online services from spam and abuse with Friendly Captcha, a privacy-first anti-bot solution.
https://friendlycaptcha.com
MIT License
413 stars 60 forks source link

W3C Trace context headers #132

Closed dev-love closed 2 years ago

dev-love commented 2 years ago

Customer request:

Hi Friendly Captcha Team,

we recently activated some functions in our Azure Cloud infrastructure that automatically adds the W3C Trace context headers (https://www.w3.org/TR/trace-context/) to all outgoing CORS Requests. To be exact, it is an ApplicationInsights feature that is called CorsCorrelation.

This currently breaks friendly-captcha integration, because our system now requests the following in the CORS headers, when asking for the puzzle using https://api.friendlycaptcha.com/api/v1/puzzle: "access-control-request-headers: request-id,traceparent,x-frc-client"

Your servers do not seem to be configured to allow the W3C trace headers like "traceparent". This is the current response from your server: "access-control-allow-headers: Origin,X-Requested-With,Accept,Content-Type,X-Frc-Client". As you can see, the "traceparent" header is missing, thus leading to a CORS error and breaking the captcha integration.

We had to disable the trace headers to get it to work again. But would you be so kind as to check if you can allow them in the future?

gzuidhof commented 2 years ago

Just to confirm: I'm happy to accept these headers (and ignore them on the serverside) so that this is no longer an issue. I'll close this issue when we ship that in production.

gzuidhof commented 2 years ago

We now accept tracestate and traceparent, see the bottom right of the screenshot :)

Screenshot 2022-09-21 at 13 58 31

@dev-love could you e-mail the requestee informing them?