Safari only bug: 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

[mesqueeb]

Dear GAPI team. I have a security bug only on Safari. Right in between loading and initialising GAPI I get these:

[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

[kamzata]

I got the same error using it on Magento 2. Any solution?

[joshbruce]

Same - using raw via PHP + Laravel (no packages).

[fabiosoto]

Same - Safari 12.1.2, Angular + ReCaptcha

[dinohorvat]

Same issue. Safari 13.1.1, Angular + Trading View Widget

[ArjenB]

Same here using Divi theme's implementation of Recaptcha 3 in Wordpress on Safari 13.1.1 on MacOS Catalina 10.15.6. However this doesn't prevent my Contact Form to be submitted on any device (Mac, iPhone, iPad). Just looks sloppy to have so many errors in the console.

[gregblass]

I have rollbar (an error reporting tool) hooked up to my javascript in production sites. I take errors seriously as a developer. This is such a shame.

[mesqueeb]

Here I stumble back on the same issue almost 3 years later.

This time I cannot seem to use Google reCaptcha in a Capacitor app for iOS.

Any advice on how to make this work, in order to be able to use Phone Auth for Firebase, much appreciated!!

[kirilltitov]

Forget it, they just don't care.

[PierreSymonPeralta]

Same here.

The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

Google ReCaptcha v2 invisible Safari Version 13.1.1 (15609.2.9.1.2)

[kinucris]

I have the same problem with Safari 14.0 15610.1.28.1.9 with reCaptcha too

[THammond9]

This error prevents our form from loading in Safari and iOS

[sergentj]

Hi all,

I see a lot of activity here and I'd like to be able to help, but it's not clear to me how. Here are a few questions I would like to know the answer to, from anyone who is still having trouble.

1. Is there is an issue with gapi as opposed to reCAPTCHA? This bug tracker is for gapi, not reCAPTCHA; as far as I can tell the recent complaints over the last year or two are about reCAPTCHA and not gapi. If there is some integration between them that I'm not aware of, I apologize, but maybe you can point me to what it is. This bug was originally filed because gapi was triggering these warnings, but that was fixed years ago as far as I know.

From what I can tell, the reCAPTCHA team uses StackOverflow for helping out on questions like this, so if the problem is purely reCAPTCHA related I suggest posting there instead.

2. Are the error messages are just spurious warnings or do they actually indicate breakage? reCAPTCHA's demo does seem to work on Safari, so I'm not sure if the error messages are serious or are just ignorable log spam. I also see a few stack overflow answers suggesting that they are just notices and not fatal errors.

Can anyone who is having trouble clarify answers to these two questions for their use case? Thanks.

[tom-b-wright]

Hi @sergentj

Since your team already solved a similar issue years ago, I think communicating the solution to the recaptcha team will be the best approach.

We are getting this error message in the console (Safari): The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

I believe that the "strict-dynamic" header value is transmitted by the server when issuing a GET HTTP request to https://www.google.com/recaptcha/api2/anchor

So the task is to check why that HTTP response includes that header value and whether it is possible to make it supported in Safari. This is a sample value of that header: Content-Security-Policy: script-src 'nonce-Y2U53p7Dpty6XSdv8PgARw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1

Thanks.

[sergentj]

Hi, thanks for your reply. It'd be better if you can engage directly with the reCAPTCHA team for help on this rather than use me as a go-between, because I'm sure they will have followup questions for you. According to their documentation, you should email support@recaptcha.net for bugs and feature requests, or use Stack Overflow for general support.

[egranty]

these are 2 independent error/warning messages those appear in Safari independently each other. Special thanks to @mesqueeb for a detailed data for research provided. So, let's examine each one separately.

1. [Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. Safari doesn't fully support 'strict-dynamic' and honestly warns about it in its console. Actually it's not an error, it's just a warning. Note that this error does not contain the name of the affected script, this is a general warning. Such warnings are normal practice for all browsers. We will have to live with this warning until Safari is fully CSP3 compliant.

Anyway, the Google API Client Library developers have no control over Apple's state of affairs.

2. [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. The err means some inline script is really locked. Why this does not prevent the Google API from normal operate, see para 4 below.

3. In 99% of cases, this error occurs inside an invisible Google frame, in which data is exchanged with Google services. Pay attention to the place of error occurred: postmessageRelay (it works in its frame) and iframe: 0 To protect this frame, related Google service publishes within it the own CSP in browsers backward compatibility mode, one of such CSP is shown by @tom-b-wright above. Do reduce security of auth iframes Google just because of Safari console warnings - not a good idea.

1% of cases:

• @EnVy28 : looks like he has problem with X-Frame-Options header, it is a separate Safari bug
• @abel672 does not have a second error message, looks like Safari just locks a popup window due to some other reason. If such error related to you own CSP, not Google's one, it could be fixed in some cases.

4. Why reCAPTCHA/Auth2 continues to operate even second error occurs and some calls seems to be blocked?
   • I think in some cases Google uses backup way to delivery his requests, because scripts are created on browsers compatibility manner.
   • most common situation is an usage construct to prevent following the hyperlink. CSP locks it as inline script, but simultaneously it prevents follow link the same as void(0).

Safari is special. Therefore developers have a related headache like it was with IE6 few years ago.

Unchecking the Prevent cross-site tracking (default is on) solved my issue of cross site images and script loading. ( MacOS Big Sur )

[XvJX]

Mac IPhone I hope it can help you！

[smileBeda]

The solution to remove block pop ups setting is not a solution, it more a workaround/hack, and additionally doesn't solve a thing for me.

I can't believe this is being ignored? Concurrence Google/Apple being the issue, or what is the reason a 3 years old BUG is not resolved?

Any other solution than disabling blockers?

[veeralpatel]

Are there any updates here?

[danielraban]

Are we going to get a solution?

[smileBeda]

Don't we worry - google is busy destroying our all businesses with their "core web vitals" updates and invading our all privacies with things like FLoC, while things like these or just the very GIT Thread here... are proof of how much of a authoritative instance Google is for things "good web": None!

In fact it is their broken tools, indexes not working or badly working, and other issues like ability to check your URLs only after signing up for a free analytics account (LOL) that clearly show how much they are interested on your success versus their success by gathering data for free thru their analytics services. It is a relation of 0:n (zero being their interests in your success, and n representing their interest in their success thru making you give them all data they need - for free.)

We are the fools: how did Google even become this hilarious monopoly giant? In other industries, they would be investigated for monopoly tactics and probably broken into pieces, if not sued for favouritism.

Going off topic, however, it is kind of on topic, since it all concerns the one giant PITA we deal with here: google

[sreeram-solinst]

Any updates?

[devsigner-xyz]

I am experiencing the same problem with Recapcha invisible and Safari.

[meiyasan]

Same here ! :(

[pagarazzi]

Same here. Recaptcha v3 (with react wrapper), Safari on iOS & MacOS + Firefox on iOS

It is breaking the page as it halts the js execution. In fact some of our animated images even stop playing once the google recaptcha js script is included.

But it has worked occasionally in the past, either because my safari was auto updated on iOS or because google changed the script's policy.

Is this planned to be resolved or should we look into a different captcha library such as hCaptcha?

How do sites like mongodb make the invisible reCaptchas work in safari?

[ax2mx]

The issue still persists in Safari v14.1.2 (16611.3.10.1.6).

Though the hack with unchecking the Prevent cross-site tracking and Allowing pop-up windows for specific website in Safari Preferences works good, it doesn't solve a problem.

[ghostbutter-games]

Running into this as well, sadly did not find any solution other than having to disable ReCaptcha (v3, invisible) for the time being. Is there any update on this? Could anyone from Google please help us out, here?

As it stands right now, apparently ReCaptcha simply does not work on Safari? Does no one care about this?

[kirilltitov]

Given that they make their products virtually unusable for non-Chrome browsers (Meet, for example), it's not like they don't care, but rather, I'm sure, it is intended behaviour.

[Maks-Chornyi]

Today I have this issue in maps in google . I can't scroll up/down to change map scale and in the console see this issue. Does anyone can say where should we report this?)