Content Security Policy and Explicitly Rendered ReCaptcha V2

[Nate Whidden]

Hi, I'm taking the nonce approach as recommended by the FAQ support section to handle the recaptcha with CSP.  Unfortunately the style isn't handled properly when taking this approach.  I receive this error for recaptcha_en.js line 122.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' *.google.com *.gstatic.com 'nonce-78cc7a82539674d84edf758ed1baf288'". Either the 'unsafe-inline' keyword, a hash ('sha256-1kcPi54DjW5KnVpSic90SBIlpyYSkUo4iqRxfy23adY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

I have to set 'unsafe-inline' as a style-src for the recaptcha to load properly even though everything else loads fine using the nonce approach.  Is this a bug or did I forget to add something else?  Would also like to note that I am explicitly rendering the recaptcha if that makes any difference.  Any help would be greatly appreciated.

[François André]

Hi,

Unfortunately, I do have the same problem. The script from https://www.google.com/recaptcha/api.js is correctly getting the nonce parameter through:

var nonce = elem && (elem['nonce'] || elem.getAttribute('nonce'));

if (nonce) { 

po.setAttribute('nonce', nonce);

}

But there are the same errors while attempting to run the script recaptcha_en.js.

Any help would be appreciated :-)