Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow nonce-based CSP for reCAPTCHA #311

Open
kesara opened this issue Oct 23, 2017 · 3 comments
Open

Allow nonce-based CSP for reCAPTCHA #311

kesara opened this issue Oct 23, 2017 · 3 comments
Labels
recaptcha

Comments

@kesara
Copy link

kesara commented Oct 23, 2017

For more secure CSP rules FlaskWTF reCAPTCHA should allow providing nonce when using reCAPTCHA and include that nonce in the script tag which loads api.js.

More information: https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website-how-can-i-configure-it-to-work-with-recaptcha
@davidism
Copy link
Member

That link is unclear about how to use a nonce. If you know what needs to happen, please open a PR.

@kesara kesara mentioned this issue Oct 24, 2017
Open
@kesara
Copy link
Author

kesara commented Oct 24, 2017

I think my PR should address the issue of inserting nonce to the script tag.
But getting it working needs adding that nonce to the HTTP CSP header, I don't think that should be part of this library.

@songsammy
Copy link

well, also try adding the nonce in <head> tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
recaptcha
Milestone
No milestone
Development

No branches or pull requests
4 participants
@azmeuk @kesara @davidism @songsammy