CSP can't be really used

[nikriaz]

Google-originated script CSP is handled but it seems that own callback script CSP is forgotten.

Enabled script-src CSP also disables inline scripts. You use explicit reCaptcha rendering with custom callback function which is rendering inline. You also use callback function name defined in <div id="<#= Model.Uid #>". This model Uid is changing every request therefore it's impossible to set its hash for the script-src because the hash is changing. So, unless you specified unsafe-inline (which is not possible for production) it seems this setup cannot work (or I missed something?)

What is the reason to have dynamic callback function name? Can we use just static name (another asp.net reCaptcha implementation uses such approach so hash works well) or implement nonce to pass into my CSP handler or do something else to make it work?

[nikriaz]

Okay, [temporary] solved is as @(Html.Recaptcha<RecaptchaV2Checkbox>(RecaptchaSettings.Value, new RecaptchaV2Checkbox {Uid = new Guid("11111111-2222-3333-4444-555555555555")})) and set script hash in script-src. But it's looks odd. Also, in fact, reCaptcha itself requires to add a hash to make its inline portion work. It works but can suddenly stop to work if Google will change something on their side. So, it seems nonce is only bullet-proof solution for both reCaptcha itself (instead of your existing solution with static script-src) and for your custom callback function as well, if you think its unique name is required. Nonce is also Google-reccomended approach.

More here and here

Response from author would be highly appreciated.