Content
View differences
Updated by Markus Kahl about 3 years ago
### Steps to reproduce
1. Activate reCAPTCHA V2 or V3 (google)
2. Create a new user
3. Login as the new user
### What is the buggy behavior?
reCAPTCHA will timeout with the following errors
_see Logs_
### What is the expected behavior?
reCAPTCHA works only if we change the file:
`/opt/openproject/modules/recaptcha/lib/open_project/recaptcha/engine.rb`
Line: 38 must be:
`frame_src: %w(https://www.recaptcha.net/recaptcha/)`
### Important note
Was reproduced by manually changing the file and works. works
Generally we may want to follow [Google's docs](https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website.-how-can-i-configure-it-to-work-with-recaptcha) here.
### **Logs**
```text
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.recaptcha.net/recaptcha/api2/anchor?ar=1&k=6LdB9fAhAAAAAHVTLpD5C28dNQdicdP4ORd2tiGI&co=aHR0cHM6Ly9vcGVucHJvamVjdC5jb211bmthLmh1OjQ0Mw..&hl=en&v=g8G8cw32bNQPGUVoDvt680GA&size=normal&cb=3lnm9y4nkb1b (“frame-src”).
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 5
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.recaptcha.net/recaptcha/api2/anchor?ar=1&k=6LdB9fAhAAAAAHVTLpD5C28dNQdicdP4ORd2tiGI&co=aHR0cHM6Ly9vcGVucHJvamVjdC5jb211bmthLmh1OjQ0Mw..&hl=en&v=g8G8cw32bNQPGUVoDvt680GA&size=normal&cb=xujlkdds67vi (“frame-src”).
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Unhandled Promise rejection: Timeout ; Zone: <root> ; Task: Promise.then ; Value: Timeout undefined zone.js:1063
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 3
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.recaptcha.net/recaptcha/api/fallback?k=6LdB9fAhAAAAAHVTLpD5C28dNQdicdP4ORd2tiGI&hl=en&v=g8G8cw32bNQPGUVoDvt680GA&t=40019 (“frame-src”).
```
### Screenshots and other files
n/a
### Environment information
**OpenProject installation type**
* [ ] Hosted cloud edition
* [x] Packaged installation
* **CentOS, but most likely in ALL versions**
* [ ] Docker All-in-one container
* [ ] Docker-compose installation
* [ ] Other (please specify)
**OpenProject version**
_If you're not running on the cloud edition, please specify the version of OpenProject you're running. Example: v12.1.5_
**Browser**
* [ ] Chrome
* [x] Firefox
* [ ] Safari
* [ ] Mobile Safari
* [ ] Other (please specify)
**Language**
English
1. Activate reCAPTCHA V2 or V3 (google)
2. Create a new user
3. Login as the new user
### What is the buggy behavior?
reCAPTCHA will timeout with the following errors
_see Logs_
### What is the expected behavior?
reCAPTCHA works only if we change the file:
`/opt/openproject/modules/recaptcha/lib/open_project/recaptcha/engine.rb`
Line: 38 must be:
### Important note
Was reproduced by manually changing the file and works.
Generally we may want to follow [Google's docs](https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website.-how-can-i-configure-it-to-work-with-recaptcha) here.
### **Logs**
```text
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.recaptcha.net/recaptcha/api2/anchor?ar=1&k=6LdB9fAhAAAAAHVTLpD5C28dNQdicdP4ORd2tiGI&co=aHR0cHM6Ly9vcGVucHJvamVjdC5jb211bmthLmh1OjQ0Mw..&hl=en&v=g8G8cw32bNQPGUVoDvt680GA&size=normal&cb=3lnm9y4nkb1b (“frame-src”).
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 5
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.recaptcha.net/recaptcha/api2/anchor?ar=1&k=6LdB9fAhAAAAAHVTLpD5C28dNQdicdP4ORd2tiGI&co=aHR0cHM6Ly9vcGVucHJvamVjdC5jb211bmthLmh1OjQ0Mw..&hl=en&v=g8G8cw32bNQPGUVoDvt680GA&size=normal&cb=xujlkdds67vi (“frame-src”).
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Unhandled Promise rejection: Timeout ; Zone: <root> ; Task: Promise.then ; Value: Timeout undefined zone.js:1063
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 3
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.recaptcha.net/recaptcha/api/fallback?k=6LdB9fAhAAAAAHVTLpD5C28dNQdicdP4ORd2tiGI&hl=en&v=g8G8cw32bNQPGUVoDvt680GA&t=40019 (“frame-src”).
```
### Screenshots and other files
n/a
### Environment information
* [ ] Hosted cloud edition
* [x] Packaged installation
* **CentOS, but most likely in ALL versions**
* [ ] Docker All-in-one container
* [ ] Docker-compose installation
* [ ] Other (please specify)
**OpenProject version**
_If you're not running on the cloud edition, please specify the version of OpenProject you're running. Example: v12.1.5_
**Browser**
* [ ] Chrome
* [x] Firefox
* [ ] Safari
* [ ] Mobile Safari
* [ ] Other (please specify)
**Language**
English