12

I implemented reCAPTCHA v3 on my website, all is working fine, I'm getting a score back and everything on the server-side.

However, I'm getting tons of Content Security Policy warnings in the console (Firefox):

Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

No idea why I'm getting these. I just implemented v3 as usual.

In the head tag:

<script src='https://www.google.com/recaptcha/api.js?render=SITEKEYHERE'></script>

In the body tag:

<form id="loginForm" action="test.php" method="post"> 

    ...

    <input type='hidden' name='recaptcha_response' id='recaptchaResponse'>

</form> 

...

<script src="https://www.google.com/recaptcha/api.js?render=SITEKEYHERE "></script>
<script>
    grecaptcha.ready(function () {
        grecaptcha.execute('SITEKEYHERE', { action: 'login' }).then(function (token) {
            var recaptchaResponse = document.getElementById('recaptchaResponse');
            recaptchaResponse.value = token;
        });
    });
</script>

I'm expecting there to be no warnings at all, yet I'm getting 6.

Improve this question

2 Answers 2

Reset to default
0

Please refer this example code to add this in your head tag

Content-Security-Policy: script-src 'self' https://apis.google.com You will get more information from this page https://developers.google.com/web/fundamentals/security/csp/

Also fix the mixed content errors

Improve this answer
6
  • 1
    I have no idea where to put this in my code: "Content-Security-Policy: script-src 'self'" Also, I'm not getting mixed content errors. I don't know what you mean. And your first link is not working.
    – Aran Bins
    Commented Feb 17, 2019 at 7:57
  • In your page head tag as meta key <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';"> developer.mozilla.org/en-US/docs/Web/HTTP/CSP Header set Content-Security-Policy "default-src 'self';" - also in your .htaccess file content-security-policy.com
    – anittas joseph
    Commented Feb 17, 2019 at 8:01
  • 1
    I tried <meta http-equiv="Content-Security-Policy" content="script-src 'self';"> but now I'm getting Content Security Policy errors, even worse.
    – Aran Bins
    Commented Feb 17, 2019 at 8:02
  • What if I'm using nginx and not apache for my web server? Where do I put " Header set Content-Security-Policy "default-src 'self';" " ?
    – Aran Bins
    Commented Feb 17, 2019 at 8:24
  • I'm also still getting TONS more content security policy errors now after adding <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
    – Aran Bins
    Commented Feb 17, 2019 at 8:25
0

This warning cannot fix and you have to just ignore it. This is a problem between the browser and google and in whole internet there is no solution to clear your console from it.

More info are in: https://stackoverflow.com/a/55835120/16212595

and https://www.reddit.com/r/firefox/comments/fpptyj/firefox_content_security_policy_console_output/

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.