@faube so all the users of this feature are served this undocumented error, that sounds like something is actually broken. I've spent like an hour investigating what's wrong. Apparently there are many more users that come across the issue and also did so (see github issue).

And the response is 'The response code can be safely ignored.'?
If it can be safely ignored, then the error should be handled gracefully and stop logging an error to the console. This issue could possibly wasted thousands of developers hours.
I'm using enterprise captcha and I'm affected by the same issue too.

Safely ignored? Seriously?

If new browsers safety features introduce new errors to the users then we need to adapt to them. If a man with a huge hammer would stand next to your entrance door and after calling the emergency services, the police would say you ‘Could safely ignore him’, would you ‘Safely ignore him’ or raise a flag and escalate it?

This response is simply brushing away the initial request, which I find uncanny coming for an "enterprise" solution, by the way.

Yes Safari does block the request to obtain the recpatcha javascript api because of a cross domain request. And no, the response code cannot be "safely ignored" considering that a token cannot be obtained on a front-end application to be validated on the back-end.

Maybe this is fine for anyone using the SDK, but it is not if you request this api for javascript. 

This issue creates a lot of problems for companies relying on your solutions to provide safety to their customers. This cannot be simply brushed away the way you just did.

Is there any work around in place?

It came to my attention that the issue also occurs for another Google solution, Google Tag manager, for which, a workaround solution is now in place and provided by Google. 

Hey, a cross-domain request is not the same as the PAT; if you're getting another error when trying to load the api.js, that's bad! Two separate problems here. Thomas, if you can't load the recaptcha javascript, that's not the PAT; could you provide a reproduction, either a demo I could visit or a video, and I could maybe try to troubleshoot?

Regarding the PAT, the PAT request does not prevent a recaptcha token from being generated; if you're having trouble generating a token, the PAT is a red herring and something else is wrong with your integration. The PAT request is our use of an iOS feature called private access tokens:https://developer.apple.com/news/?id=huqjyh7k, which uses a 401 www-auth header to prompt your device to generate a fancy crypto token that is opaque to us but allows us to trust your device more. Not all devices are able to produce a PAT every time, and there's not a way to check without issuing the header!  We don't have any public docs about this atm, but I will work to put together something that clarifies. Thanks for understanding!

In this Google recaptcha example page on Safari the error appears as well in JS Console after a couple page refreshes. Could you tell us what to do with the error?

https://www.google.com/recaptcha/api2/demo

Do you mean the PAT error? As mentioned, it's working as intended and you shouldn't do anything with it 😀

Thank you for your answer.
Devices that were blocking the request initially are now producing the “PAT” so I cannot replicate anymore unfortunately. 

But the “PAT” is still a very inconvenient issue, it seems that requests with a red error for the “PAT” request does not produce a high score, or will do so very randomly. We have made a temporary workaround to reduce our score expectations from 0.8 to 0.4 on Safari devices until we find a more suitable solution. 

So yes please provide further documentation on the PAT error and possible workaround along with “Request an assessment “ or “Interpreting the score” as it can be quite an unexpected error to come through on production environments. 

Does it help the “PAT” error to provide the optional UserAgent attribute as part of the assessment request for example?