LiamKarlMitchell
commented
12 months ago You would likely have to modify the ReCaptchaBuilderV3.php or other version you are using to add such a header. Maybe it could be passed through the $configuration object or detect if csp_nonce function is existing?
$nonce= $configuration['cspCode'] ?? null;
if (function_exists('csp_nonce')) {
$nonce= csp_nonce();
}
$html = "<script src=\"" . $this->api_js_url . "?render={$this->api_site_key}\" ".($nonce!== null ? "nonce=\"".$nonce."\"" : '') ."></script>";Alternatively the function just returns a string to put in blade template or some other output right, you could wrap it and replace to add it in.
Was reading more on it here. Maybe need to do it on other script tag as well not sure. https://www.vicarius.io/blog/prevent-attacks-using-nonce-attribute
I use this package, but when I run pentesting, the recaptcha script from this package appears in the test results. How do I add nonce="{{ csp_nonce() }}" to this package? Btw, I use laravel csp by spatie