Skip to main content

How to resolve Cloudflare Turnstile 401 errors and Content-Security-Policy issues causing slow MS login on Webflow?

Hi Memberstack Team,
We’re observing a 6 - 10 second input delay on our Memberstack login form hosted on Webflow. The browser console is showing errors related to Cloudflare and Content-Security-Policy (CSP), which seem to be the cause.

Here’s a sample of the console output:
Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed...
...
XHRGET https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/pat/... [HTTP/2 401]
Additional error we’re seeing multiple times:
Request for the Private Access Token challenge.
Feature Policy: Skipping unsupported feature name “cross-origin-isolated”

For context, our setup uses Webflow as a parent page to authenticate users with Memberstack. It then passes a session token to our React application, which runs in an iframe on that page on a different domain. The JWT is exchanged for a session token and verified with Memberstack via the REST API. The communication happens via postMessage.

  • Could you help us understand the following?
  • Why might we see Cloudflare challenge errors (401s) when we’re only using Webflow’s native hosting?
  • What is the recommended way to resolve CSP errors related to inline scripts on Webflow?
  • Is our architecture (Webflow parent passing tokens to a React iframe) a supported approach?
  • Are the Cloudflare Turnstile challenges coming from Memberstack’s implementation, and if so, can they be configured or disabled during development?

Any information you can provide on resolving these errors would be helpful.

Thank you,

2 comments

  • A J
    A J

    Hey Michael Feld, have you enabled Bot protection for your Webflow forms under the Site settings --> Forms --> Cloudflare Turnstile spam protection section (as shown in screenshot). The cloudflare errors might crop up from there, if its enabled.

    That being said, as per the Turnstile documentation, the 401 errors are expected (as per their design to block form submission spam) and should not be an issue for the site.

    0
  • Michael Feld
    Michael Feld OP

    That’s it, thank you!

    0

Please sign in to leave a comment.

Sitemap