Content Security Policy (CSP) with recaptcha v2
1,222 views
Skip to first unread message
sebasti...@gmail.com
Dec 3, 2014, 1:11:47 PM12/3/14
to reca...@googlegroups.com
Hi,
as I couldn't find any hints on the official documentation, does anybody know the correct way of using the new recaptcha API with a strict CSP?
So far I only found several URLs which have to be whitelisted by trial and error with the developer console of the browser, but that approach is rather error prone as you can easily miss URLs with the large amount of different display options (the memory for mobile devices probably also needs a lot of resources, etc). Especially if the API implementation changes this can cause severe issues.
Regards,
Sebastian
as I couldn't find any hints on the official documentation, does anybody know the correct way of using the new recaptcha API with a strict CSP?
So far I only found several URLs which have to be whitelisted by trial and error with the developer console of the browser, but that approach is rather error prone as you can easily miss URLs with the large amount of different display options (the memory for mobile devices probably also needs a lot of resources, etc). Especially if the API implementation changes this can cause severe issues.
Regards,
Sebastian
Sean Fujiwara
Dec 3, 2014, 11:41:10 PM12/3/14
to reca...@googlegroups.com
I also had to modify my CSP, so I think it would be nice to have a note in the documentation.
sebasti...@gmail.com
Dec 4, 2014, 4:52:09 AM12/4/14
to reca...@googlegroups.com
So far I've seen the following URLs which I had to allow:
iframe content from https://www.google.com/recaptcha/
images from https://ssl.gstatic.com/
scripts from https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://apis.google.com/js/
Furthermore for styles 'unsafe-inline' has to be allowed.
Sebastian
iframe content from https://www.google.com/recaptcha/
images from https://ssl.gstatic.com/
scripts from https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://apis.google.com/js/
Furthermore for styles 'unsafe-inline' has to be allowed.
Sebastian
sebasti...@gmail.com
Dec 4, 2014, 5:06:51 AM12/4/14
to reca...@googlegroups.com
To make things worse I just found out that it seems to load different scripts when using different browsers. The previously stated URLs are valid for Firefox 34.
Chrome 39 seems to also load scripts from the following URLs: https://www.google.com/js/ https://apis.google.com/_
Probably the complete domains have to be whitelisted in order to work in all browsers, but that's a lot of work required for testing :(
(Note that in order to use the paths CSP >= 1.1 is required anyways)
Chrome 39 seems to also load scripts from the following URLs: https://www.google.com/js/ https://apis.google.com/_
Probably the complete domains have to be whitelisted in order to work in all browsers, but that's a lot of work required for testing :(
(Note that in order to use the paths CSP >= 1.1 is required anyways)
Reply all
Reply to author
Forward
0 new messages