Description
Turnstile's invisible mode generates a large volume of console errors and warnings that are entirely internal to the challenges.cloudflare.com iframe. While these don't block functionality, they spam the developer console and create confusion for developers and QA teams who see a "wall of red" on every page load.
Errors observed
All originating from challenges.cloudflare.com/cdn-cgi/challenge-platform/...:
[Violation] Permissions policy violation: xr-spatial-tracking is not allowed in this document (repeated ~20x)This document requires 'TrustedHTML' assignment. The action has been blocked. (repeated ~6x)This document requires 'TrustedScript' assignment. The action has been blocked. (repeated ~12x)This document requires 'TrustedScriptURL' assignment. The action has been blocked. (repeated ~6x)Executing inline script violates the following Content Security Policy directive 'script-src 'nonce-...' 'unsafe-eval'' (from about:srcdoc)Request for the Private Access Token challenge. (info)
Environment
- Turnstile mode: Invisible (
appearance: "interaction-only")
- API: Direct
challenges.cloudflare.com/turnstile/v0/api.js
- Browsers: Chrome 130+, Edge 130+ (Chromium-based)
- Site CSP: Has
Permissions-Policy: xr-spatial-tracking=() — makes no difference since the violation originates inside Turnstile's own iframe
Steps to reproduce
- Add an invisible Turnstile widget to any page
- Open the browser developer console
- Load the page
- Observe 50+ errors/warnings from
challenges.cloudflare.com
Expected behavior
Turnstile's internal challenge iframe should not emit console errors visible to the parent document's developer console.
Impact
- Developers see 50+ red errors on every page load, making it hard to spot real issues
- QA teams flag these as bugs repeatedly
- No workaround exists since errors originate in Cloudflare's own iframe
Description
Turnstile's invisible mode generates a large volume of console errors and warnings that are entirely internal to the
challenges.cloudflare.comiframe. While these don't block functionality, they spam the developer console and create confusion for developers and QA teams who see a "wall of red" on every page load.Errors observed
All originating from
challenges.cloudflare.com/cdn-cgi/challenge-platform/...:[Violation] Permissions policy violation: xr-spatial-tracking is not allowed in this document(repeated ~20x)This document requires 'TrustedHTML' assignment. The action has been blocked.(repeated ~6x)This document requires 'TrustedScript' assignment. The action has been blocked.(repeated ~12x)This document requires 'TrustedScriptURL' assignment. The action has been blocked.(repeated ~6x)Executing inline script violates the following Content Security Policy directive 'script-src 'nonce-...' 'unsafe-eval''(fromabout:srcdoc)Request for the Private Access Token challenge.(info)Environment
appearance: "interaction-only")challenges.cloudflare.com/turnstile/v0/api.jsPermissions-Policy: xr-spatial-tracking=()— makes no difference since the violation originates inside Turnstile's own iframeSteps to reproduce
challenges.cloudflare.comExpected behavior
Turnstile's internal challenge iframe should not emit console errors visible to the parent document's developer console.
Impact