friendly-challenge icon indicating copy to clipboard operation
friendly-challenge copied to clipboard
verified publisher icon FriendlyCaptcha

CSP Documentation missing style-src 'unsafe-eval'?

Open kmindi opened this issue 1 year ago • 2 comments

Hi,

I have not yet created a MVP or anything similar to further dig down, but apparently the recommended settings https://docs.friendlycaptcha.com/#/csp miss a step about the style-src / style-src-elem.

The widget.module.js injects a style element, which is blocked on a page with the following Content-Security-Policy Error in Chrome:

widget.module.min.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-rD8UmTfY4BIp0ZHw'". Either the 'unsafe-inline' keyword, a hash ('sha256-DtJ0G5eArSV7tvvFUUeV7iyiWfBGflIkRW64/tmMWUk='), or a nonce ('nonce-...') is required to enable inline execution.

Thanks for confirming or looking into it. I'm happy to provide more information if needed and update this issue.

kmindi avatar Jul 19 '24 09:07 kmindi

Hey, you are right that you have to add unsafe-inline to either style-src or default-src. I will look into why this isn't documented yet!

Alternatively, you can set skipStyleInjection and add your own style sheet (or copy ours) to style the widget. This way you can avoid the CSP issue.

merlinfuchs avatar Jul 19 '24 09:07 merlinfuchs

Thanks already!, Yet, adding it seems to have no effect because we use a nonce, but don't know why it does not work with that nonce, it should be set at all places...

kmindi avatar Jul 19 '24 12:07 kmindi