Clever Geek Handbook

New reCaptcha site check Google does not return response

I am doing site validation upon receipt g-recaptcha-response

through user validation.

I am sending xhr POST with parameters and getting 200 OK, but REPORTING ANSWER is as it should be:

{
  "success": true|false,
  "error-codes": [...]   // optional
}

code

<script type='text/javascript'>    
var onReturnCallback = function(response) { 
document.getElementById('resp').innerHTML = response; // works well
//alert('grecaptcha.getResponse() = ' + grecaptcha.getResponse()); // works well too
$.post("https://www.google.com/recaptcha/api/siteverify", 
          { secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            response: response,
            remoteip :  "<?php echo $ip;?>" // optional, does not influence an empty result           
           }).complete(function( data ) {
                alert( "Data returned from POST: " + data.toString() );
                console.dir(data);
              });  

};
</script>
Form.  
<form method="post"> 
<div class="g-recaptcha" data-sitekey="6LdYKQkTAAAAAD9K6-kHspFUPUnftw1RxP5_awi0" data-callback="onReturnCallback" data-theme="light">       </div>
<input name="send" type="submit" />
</form>

The object I am printing to the console is completely blank (except statusText='error'

), see screenshot .

There is another error in the console:

XMLHttpRequest cannot load https://www.google.com/recaptcha/api/siteverify . The requested resource does not have an "Access-Control-Allow-Origin" header. Origin ' http://tarex.com ' is therefore not allowed.

How to deal with this? Can I change the title of the source? How to check?

link to the demo.

+3


source to share


2 answers


It is not possible to make XHR ("AJAX requests") to hosts other than those serving the website due to the so-called "origin policy" (SOP) to prevent XSS attacks.

However, you can post messages to the reCaptcha site from a php proxy that you run on your own host. An example of this is in this answer . It also prevents your secret from being exposed to people who are viewing your source code on the client side.



Another possibility (depending on the service you want to use) is JSONP . Since XHR is not allowed, but scripts are not loaded from foreign hosts, it is possible to add the name of the callback function via query parameters to the script url. This function is then called as soon as the foreign resource is loaded. But as far as I know, reCaptcha doesn't support JSONP.

+2


source


reCaptcha supposedly supports jsonp as the legal value for the dataType parameter.



0


source






More articles:


All Articles