search

altcha-org / altcha

GDPR compliant, self-hosted CAPTCHA alternative with PoW mechanism and advanced anti-spam filter.
https://altcha.org
MIT License
407 stars 12 forks source link

CSP strict-dynamic compliance and onfocus issue #33

Closed DorianCoding closed 3 months ago

DorianCoding commented 4 months ago

Hello,

Would it be possible to make CSS of Altcha compliant with strict-dynamic CSP?

image

Secondly, when using onfocus, if we click on the submit button, the validation starts again, even if already validated and not expired and therefore we cannot submit the form :/

Thanks.

ovx commented 4 months ago

Hello, with strict CSP configuration, you will have to apply CSS in your app. You can use the altcha.css or simply import 'altcha/altcha.css' if you're using bundlers (requires min version 0.4.1).

The issues with onfocus is fixed in the latest version 0.4.1.

DorianCoding commented 4 months ago

Hello,

Hello, with strict CSP configuration, you will have to apply CSS in your app. You can use the altcha.css or simply import 'altcha/altcha.css' if you're using bundlers (requires min version 0.4.1).

I thought inline-styles, like inline-scripts, were allowed when loaded from a script with CSP3 strict-dynamic but that's not the case so yeah I'II do the fallback solution that is working fine. The script is not responsible.

The issues with onfocus is fixed in the latest version 0.4.1.

Okay I've extracted it from Github and it indeed seems to work now.

Thanks.

Fabio-Zeus-Soft commented 3 months ago

As suggested here, I added altcha.css to my code, but I'm still getting a CSP error because the script is shipping the CSS inline code. Is there a way to prevent the script from adding the style? I'm talking about the