Safari bug, The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. 4

[arelaxend]

Dear contributors,

The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

The bug appears in the "demo" link of the page.

On Safari Version 12.0 (13606.2.11)

A.

Edit: reference here google/google-api-javascript-client#397

[arelaxend]

Here, they specify to use none https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website-how-can-i-configure-it-to-work-with-recaptcha

I put the following as a try in my index.html

  <meta http-equiv="Content-Security-Policy" content="
    script-src 'self' 'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA';
    frame-src 'self' 'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA' ;
    style-src 'self' 'unsafe-inline';
    object-src 'self';
  ">

And, I add:

  var script = document.createElement('script');
   script.src = 'https://www.google.com/recaptcha/api.js?hl=' + locale + '&onload=GoogleRecaptchaLoaded&render=explicit';
 ...
  script.nonce = 'ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA';

And now, I am still getting the following error... unbelievable

Refused to load https://www.google.com/recaptcha/api2/anchor?ar=1&k=***=fr&v=v1536705955372&size=invisible&badge=inline&cb=*** because it does not appear in the frame-src directive of the Content Security Policy.

[arelaxend]

Ok, I found that is might or might not be relevant.
In their demo, https://www.google.com/recaptcha/api2/demo?invisible=true
They put a nonce for the script, and
content-security-policy: script-src 'report-sample' 'nonce-zPUGd9Hi6LE/jcyMULaEIKJTCDU' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1

[youriv2019]

this bug caused my website to stop working. I have taken recaptcha away now.