1

I have searched many question on SO related to this. But nothing solves my issue. I am using google recaptcha v2 in an asp.net mvc5 app. It works fine in google chrome. But it is showing some error in firefox and edge browsers. I suspect this as something related to content security policy headers.

Error in Firefox

Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified

Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified

Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

Error in Edge

Security of a sandboxed iframe is potentially compromised by allowing script and same origin access.

Due to this error recaptcha is not working since it get timed out everytime

I've tried to add csp headers like this in web.config

<system.webServer>
<httpProtocol>
    <customHeaders>
        <add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' https://www.google.com https://www.google.com/recaptcha/api.js https://www.gstatic.com" />
    </customHeaders>
</httpProtocol>
</system.webServer>

But this doesn't work as well as my page got broken since all other files got blocked by the browser

Improve this question
3
  • I don't believe any of the Firefox "errors" you listed would cause the script not to work. Does the script work if you remove CSP entirely?
    – Stephen R
    Commented Apr 16, 2019 at 14:28
  • @StephenR I am not adding any csp headers by myself. csp headers are not present in my document rather they are in the iframe created by the recaptcha
    – Beingnin
    Commented Apr 17, 2019 at 4:42
  • And if i remove the recaptcha script reference the errors disappear
    – Beingnin
    Commented Apr 17, 2019 at 4:44

1 Answer 1

Reset to default
3

It doesn’t appear that the script’s failure is CSP related. Those aren’t really errors you’re getting; merely notices.

In CSP some policies override other policies, so you get a notice that policy A is ignored because you’re using policy B. So why put policy A in at all, you ask? For compatibility with older browsers that don’t understand policy B.

For example: I use CSP nonces, but also put in “unsafe-inline”. IE doesn’t understand nonces so it uses the “unsafe-inline” rule. Modern browsers ignore the “unsafe-inline” and use the nonces. In Firefox console I get a notice similar to what you’re getting

Improve this answer
2
  • 1
    Ok. But can you have any idea why the recaptcha is not working in firefox and Edge. When a user clicks It is spinning forever
    – Beingnin
    Commented Apr 17, 2019 at 9:50
  • I would ve gone in a misdirection if you wouldn't intervene. thanks
    – Beingnin
    Commented Apr 17, 2019 at 10:22

Not the answer you're looking for? Browse other questions tagged or ask your own question.