Make 3rd party captcha scripts working

[jaroslawjelonek]

I wanted to add captcha to my custom webform hosted on developer portal (using Google or Cloudflare). When in editor mode captcha scripts work fine but after publishing on desired page it is not working. I would be nice to have better control over iframe (sandbox property in particular). Captcha is inserted as custom HTML widget type.
Playing around with the published page's HTML and temporarily removing the sandbox property allows the CAPTCHA to start working

[jaroslawjelonek]

I will add more details here for captcha solution offered by Cloudflare as it is last one I tried and I can check details in developer portal. Solutions docs: Get started with Turnstile · Cloudflare Turnstile docs and also demo from Cloudflare: Turnstile ‐ Dummy Login Demo . In my case captcha was added as ‘Custom HTML code’ section to our developer portal page. While editing page I can see that captcha works as expected – I can see visual confirmation that script run and I am not a bot 😉.

Once I publish this page and then visit it like any other visitor would I still can see input boxes and submit button but the captcha script is not triggering at all.

Furter investigation:
In browser console there are warnings and errors mentioning cross-origin issue.

I can play around with publish page using browser’s dev tools and temporarily manipulate HTML code of <iframe> especially focusing on sandbox attribute. Both removing sandox completely or inserting “allow-same-origin” makes captcha script trigger right away.
Desired solution:
In developer portal editor - for “Custom HTML code” make it possible to control weather allow-same-origin should be enabled or not.