CODEWITHSUNDEEP
recaptchacontent-security-policy
Aran Bins
Aran Bins

Reputation: 488

ReCAPTCHA is generating Content Security Policy warnings

I implemented reCAPTCHA v3 on my website, all is working fine, I'm getting a score back and everything on the server-side.

However, I'm getting tons of Content Security Policy warnings in the console (Firefox):

Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

No idea why I'm getting these. I just implemented v3 as usual.

In the head tag:

<script src='https://www.google.com/recaptcha/api.js?render=SITEKEYHERE'></script>

In the body tag:

<form id="loginForm" action="test.php" method="post"> 

    ...

    <input type='hidden' name='recaptcha_response' id='recaptchaResponse'>

</form> 

...

<script src="https://www.google.com/recaptcha/api.js?render=SITEKEYHERE "></script>
<script>
    grecaptcha.ready(function () {
        grecaptcha.execute('SITEKEYHERE', { action: 'login' }).then(function (token) {
            var recaptchaResponse = document.getElementById('recaptchaResponse');
            recaptchaResponse.value = token;
        });
    });
</script>

I'm expecting there to be no warnings at all, yet I'm getting 6.

Upvotes: 12

Views: 11654

Answers (2)

Ehsan Paknejad
Ehsan Paknejad

Reputation: 698

This warning cannot fix and you have to just ignore it. This is a problem between the browser and google and in whole internet there is no solution to clear your console from it.

More info are in: https://stackoverflow.com/a/55835120/16212595

and https://www.reddit.com/r/firefox/comments/fpptyj/firefox_content_security_policy_console_output/

Upvotes: 0

anittas joseph
anittas joseph

Reputation: 41

Please refer this example code to add this in your head tag

Content-Security-Policy: script-src 'self' https://apis.google.com You will get more information from this page https://developers.google.com/web/fundamentals/security/csp/

Also fix the mixed content errors

Upvotes: 0

Related Questions