The New Recaptcha: GET Request

[Ethan D]

I was trying to send a get request to https://www.google.com/recaptcha/api/siteverify (with the required parameters) and I got a CORS-related error. The error said No 'Access-Control-Allow-Origin' header is present on the requested resource. I know what this means, but why doesn't Google allow XMLHttpRequests? Thanks for the help.

[James Turner]

Google allows them just fine, your browser does not.

I can only assume you're attempting to verify the captcha via javascript.

Most modern browsers will attempt an OPTION call prior to the GET request if you are attempting XMLHttpRequests to foreign hosts (i.e. not the current domain).

Obviously google rejects OPTION requests and isn't going to specify your domain in their Access-Control-Allow-Origin header even if they do accept OPTION requests.

In summary, perform the validation request server side, not client side.