Google ReCaptcha CSP eval violation despite of correct nonce?

Question

I have the following CSP header:

script-src 'self' *.google.com *.googletagmanager.com *.google-analytics.com 'nonce-XXXXXX'; style-src 'self' 'unsafe-inline' *.googleapis.com *.gstatic.com; img-src 'self' *.google-analytics.com; font-src https://fonts.gstatic.com/; object-src 'none'; connect-src 'self' wss:; frame-ancestors 'none'; report-uri XXXX;

The site is currently running under

https://127.0.0.1/test/

The script:

<script async defer src="https://www.google.com/recaptcha/api.js?render=explicit" 
 nonce="XXXXXX"></script>

Upon loading the page that contains the captcha or submitting the form, I got a bunch of reports, containing the following error:

blocked-uri eval
column-number   8
document-uri    https://127.0.0.1/test/
line-number 27
original-policy script-src 'nonce-06119715-2ed2-42ae-99b1-edf58ab76283' 'nonce-8834c239-fa22-4e70-965d-8134dc20ae4e'; style-src 'self'; img-src 'self'; font-src https://fonts.gstatic.com/; object-src 'none'; report-uri https://127.0.0.1/test/csp-report
referrer    
source-file blob:https://127.0.0.1/47fba858-3af0-4468-a1fe-32e077414fc1
violated-directive  script-src

If I allow 'unsafe-inline', the reports disappear. What am I doing wrong?

I am following the instructions on the page reCAPTCHA with Content Security Policy, but without success.

Answer 1

Why you don't simply use nonces for the Google reCAPTCHA, no neneed to allow unsafe-eval in your Content Security Policy (CSP)?