My issue turned out to be a malformed location block in my nginx config. Changing it to the following allowed the necessary ‘Access-Control-Allow-Origin’ header:
location = /app/plugins/altcha-spam-protection/public/altcha.min.js {
add_header "Access-Control-Allow-Origin" "*" always;
}
@tw2113 thanks for looking into this! Sounds like unset_param_callback_cache() is only meant as a core helper function then. With that in mind I’ll consider my current solution as good enough for now.
