Use reCAPTCHA with a strict Content Security Policy
892 views
Skip to first unread message
Erik Larsson
Dec 7, 2012, 6:35:43 PM12/7/12
to reca...@googlegroups.com
I want to use reCAPTCHA on a site on which we use a very strict content security policy. In order to avoid XSS, no javascript are allowed to execute on the same domain as where the HTML is kept (i.e. no 'unsafe-inline', 'unsafe-eval' and no 'self'). Is there any way to achieve this using reCAPCTHA?
The script loaded by the API (https://www.google.com/recaptcha/api/js/recaptcha.js) seems to contain a few things not allowed;
- Inline 'javascript:' URL:s:
c("recaptcha_reload", "refresh", "refresh_btn", "javascript:Recaptcha.reload();");
c("recaptcha_switch_audio", "audio", "audio_challenge", "javascript:Recaptcha.switch_type('audio');");
c("recaptcha_switch_img", "text", "visual_challenge", "javascript:Recaptcha.switch_type('image');");
- Illegal use of setTimeout;
setInterval('Recaptcha.reload("t");', a);
- Inline javascript code;
document.write('<script>Recaptcha.widget = Recaptcha.$("recaptcha_widget_div"); Recaptcha.challenge_callback();<\/script>')
Is there a way to use reCAPTCHA natively without having to allow inline scripting and eval? If not, is there any plans to update reCAPTCHA to allow a stricter policy?
Dom Sekotill
Dec 10, 2012, 7:05:33 AM12/10/12
to reca...@googlegroups.com
The recaptcha API is very simple, you can reverse engineer the widget
javascript to insert the image where you wish or play the audio. Just
remember to say somewhere near it that it uses recaptcha.
> --
> You received this message because you are subscribed to the Google
> Groups "reCAPTCHA" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/recaptcha/-/jfkoBu56bNgJ.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to
> recaptcha+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/recaptcha?hl=en.
javascript to insert the image where you wish or play the audio. Just
remember to say somewhere near it that it uses recaptcha.
> You received this message because you are subscribed to the Google
> Groups "reCAPTCHA" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/recaptcha/-/jfkoBu56bNgJ.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to
> recaptcha+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/recaptcha?hl=en.
Erik Larsson
Dec 10, 2012, 2:34:16 PM12/10/12
to reca...@googlegroups.com
That's what we do right now but since that requires us to parse the challenge/question server-side it's not really a reliable long term solution. One small change in the api could take down our prod environment which I'm not very comfortable with. Another flaw is that we need to keep the reCAPTCHA JS file locally rather than loading it from the Google servers. That means all future updates must be merged in locally rather than pushed from the server.
It seems like there's no huge changes that needs to be made to the API and it would be a great to be able to use reCAPTCHA without having to allow inline JavaScript.
Caleb Queern
Aug 24, 2013, 12:47:21 AM8/24/13
to reca...@googlegroups.com
Erik did you ever find a reliable long term solution you were pleased with for using reCAPTCHA and CSP?
Reply all
Reply to author
Forward
0 new messages