Recaptcha should support strict CSP style-src rules. #107
Comments
|
is there any chance that this issue will be solved someday? |
|
The reCaptcha FAQ claims that adding a noonce to the initial script tag will allow reCaptcha to work with CSP: link here. |
|
After doing some research, it appears that inline styles are valid in a strict CSP policy, but only if they were set by JavaScript. Link. So while |
|
FYI, this is still an issue. I'm using ASP.NET, and using NWebsec to create a nonce. I can confirm that once my page loads, the nonce attribute has been added to the DOM element and the response headers contain that same nonce, but that rule does not apply to the style sheets that the api and recaptcha_en scripts try to load. The unsafe-inline directive works, but my employer would never approve that. Will report back if I find a solution. |
|
Nudging this issue. It sort of bums out Google's whole stance on security. I refuse to change my Content Security Policy - impacting my site's security, simply because Google refuses to get with the times. |
|
@bradleyhodges Same here. I'm not allowing inline styles just for recaptcha. Last commit was in March (nine months ago at time of writing), so development seems to have all but died? |
|
Absolutely.. project is definitely dead, but I’m pretty sure that this repo is for the PHP library alone; meaning that we’d have to find another way to get Google’s attention. It’s still a massive disappointment to see that Google isn’t maintaining security across the entire project. There isn’t even a way to specify a nonce or CSP compliance policy with their Javascript library, and that documentation is on Google’s own website. |
|
Any updates to this? |
|
I'll try setting a CSP on the demo and see what happens. |
|
I've been playing around locally and it would be useful to hear some feedback on what people are looking for here. You can take a quick look at the $recaptchaNonce = base64_encode(openssl_random_pseudo_bytes(16));
$inlineNonce = base64_encode(openssl_random_pseudo_bytes(16));
$gaIncNonce = base64_encode(openssl_random_pseudo_bytes(16));
$gaCfgNonce = base64_encode(openssl_random_pseudo_bytes(16));
header("Content-Security-Policy: "
."script-src 'nonce-".$inlineNonce."' 'nonce-".$recaptchaNonce."' 'nonce-".$gaIncNonce."' 'nonce-".$gaCfgNonce."' 'strict-dynamic'; "
."object-src 'none'; "
."base-uri 'none'; "
);To fire off a header: Including the library with <script src="https://www.google.com/recaptcha/api.js?render=<?php echo $siteKey; ?>" nonce="<?php echo $recaptchaNonce; ?>"></script>Generating I appreciate this is a very simple example, so it would be helpful to see what you're putting in your actual policies to understand where this doesn't work. |
|
@rowan-m, the reason your example works and ours don't is that we're setting style-src and not setting 'unsafe-inline'. The script itself runs, but the styling is broken and we get a bunch of CSP errors. If you want to know why we're setting style-src, it's because third-party-css is not safe. |
|
Though I haven't fully deployed it yet, I'm using a strict CSP (no inline JS or CSS) with the following hashes in style-src, with no CSP violations: These are the hashed pieces of inline CSS generated by reCAPTCHA v2 checkbox version. If you don't trust the above and want to create your own hashes, you can use Chrome's DevTools to grab hashed versions of any inline CSS (if you have CSP blocking inline styles). |
|
@IanOliver Only problem with that is that if Google ever change their CSS, your hashes will no longer match. And Google change their stuff a lot... |
|
@Sora2455 Yes, this is something I should have mentioned - very true. As far as I'm aware, the CSS for reCAPTCHA hasn't changed in a long time, and hopefully if v3 is being concentrated on, maybe v2 will be left as-is. Maybe :) |
|
@IanOliver Hi! I have tried your hashes, it's not working here... There are some works that spend time implementing nonce such as "material-ui" for react.. that's a bad design choice 👎 |
|
@arelaxend on my blog, the hashes are different too. You'd have to test with a Content-Security-Policy-Report-Only to determine yours. |
|
@borisschapira thank you, i will test this later, since i don't know how to send headers via React |
|
@arelaxend First, you don't send headers in React. You send them through whatever platform you're hosting React in - Node.JS, ASP MVC, ASP.NET, PHP, Ruby on Rails, etc. Second, if the hashes are different for different people, Google might very well be delivering different CSS for different people, making hashing near-impossible. |
|
@Sora2455 yes indeed, i meant i don’t know how to add an http header in nodejs and to trigger this out in react, but anyway, I will find this out! By the way I choose to set a unsafe rule for my tests, since we have no info. about this from the re captcha team. For production, I might consider removing recaptcha.. I found that many people have the same issue. Either we are completely wrong about how it is supposed to work, or it’s a « bad » design choice. In the end, it creates for sure difficulties for many teams and this is not a good news, it won’t help people secure their apps. On this topic, I have found somebody on stackoverflow that manages to create a hack to automatically create hash at load time and still it doesn’t work. |
|
@rowan-m I kindly ask: Is there gonna be a solution for this issue? Please, developers don't want to lower their security levels. |
|
@Virgomax Hilariously, despite this issue being the one getting all the attention, it's on the wrong repo. This is for the PHP library - there isn't one for the actual service/JavaScript. |
|
@Sora2455 Oh thanks, I didn't notice.
|
|
I also raised a bug with Chromium recently. The hashes I'd previously published worked perfectly in Chrome 68, and then were affected by this bug in Chrome 69: https://bugs.chromium.org/p/chromium/issues/detail?id=881847 |
|
@Sora2455 :O !!! You are right! I just landed here directly from the search engine and I didn't even see the Readme.md. Looks like I've been wrong my entire life. Thanks for opening my eyes. ;) I'll go to swear at some other repo. @borisschapira that's awful. Guardian angel, where the hell are you? |
|
Good news - the service has been updated so The <script src="https://www.google.com/recaptcha/api.js?render=your-site-key" nonce="rand0m1shValue"></script>I'll leave this issue open for a little while in case there are any questions / comments and I'll also merge a separate CSP example onto |
|
Closing this off as I've popped up an example in |
The documentation now advice developers to enable style-src='unsafe-inline'.
Should not Recaptcha give an alternative that does not require developers to lower their sites security?
The text was updated successfully, but these errors were encountered: