I continue to get an error stating "Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src 'self' xxxxxxxxxxxxx" Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback." I got the same error when disabling Chrome security via the command chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security. I did see the google developer guide states to use nonce in reCAPTCHA api script tag. I suspect a server has the policy. How do I get the nonce value? Why can I not disable Chrome security to test my code? I am using an asp.net mvc website. I have also tried a meta tag in the view unsuccessfully.
1 Answer
The first thing you need to do is to add www.google.com or https://www.google.com to your script-src directive. Currently it refuses to load the initial script.
You generate a random value for the nonce. Seems like you need to insert it into the script tag. You also have to insert it into your CSP.
answered Aug 12, 2020 at 12:42
