Open mesqueeb opened 6 years ago
I got the same error using it on Magento 2. Any solution?
Same - using raw via PHP + Laravel (no packages).
Same - Safari 12.1.2, Angular + ReCaptcha
Same issue. Safari 13.1.1, Angular + Trading View Widget
Same here using Divi theme's implementation of Recaptcha 3 in Wordpress on Safari 13.1.1 on MacOS Catalina 10.15.6. However this doesn't prevent my Contact Form to be submitted on any device (Mac, iPhone, iPad). Just looks sloppy to have so many errors in the console.
I have rollbar (an error reporting tool) hooked up to my javascript in production sites. I take errors seriously as a developer. This is such a shame.
Here I stumble back on the same issue almost 3 years later.
This time I cannot seem to use Google reCaptcha in a Capacitor app for iOS.
Any advice on how to make this work, in order to be able to use Phone Auth for Firebase, much appreciated!!
Forget it, they just don't care.
Same here.
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
Google ReCaptcha v2 invisible Safari Version 13.1.1 (15609.2.9.1.2)
I have the same problem with Safari 14.0 15610.1.28.1.9 with reCaptcha too
This error prevents our form from loading in Safari and iOS
Hi all,
I see a lot of activity here and I'd like to be able to help, but it's not clear to me how. Here are a few questions I would like to know the answer to, from anyone who is still having trouble.
From what I can tell, the reCAPTCHA team uses StackOverflow for helping out on questions like this, so if the problem is purely reCAPTCHA related I suggest posting there instead.
Can anyone who is having trouble clarify answers to these two questions for their use case? Thanks.
Hi @sergentj
Since your team already solved a similar issue years ago, I think communicating the solution to the recaptcha team will be the best approach.
We are getting this error message in the console (Safari): The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
I believe that the "strict-dynamic" header value is transmitted by the server when issuing a GET HTTP request to https://www.google.com/recaptcha/api2/anchor
So the task is to check why that HTTP response includes that header value and whether it is possible to make it supported in Safari. This is a sample value of that header: Content-Security-Policy: script-src 'nonce-Y2U53p7Dpty6XSdv8PgARw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1
Thanks.
Hi, thanks for your reply. It'd be better if you can engage directly with the reCAPTCHA team for help on this rather than use me as a go-between, because I'm sure they will have followup questions for you. According to their documentation, you should email support@recaptcha.net for bugs and feature requests, or use Stack Overflow for general support.
these are 2 independent error/warning messages those appear in Safari independently each other. Special thanks to @mesqueeb for a detailed data for research provided. So, let's examine each one separately.
Anyway, the Google API Client Library developers have no control over Apple's state of affairs.
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. The err means some inline script is really locked. Why this does not prevent the Google API from normal operate, see para 4 below.
In 99% of cases, this error occurs inside an invisible Google frame, in which data is exchanged with Google services. Pay attention to the place of error occurred: postmessageRelay (it works in its frame) and iframe: 0 To protect this frame, related Google service publishes within it the own CSP in browsers backward compatibility mode, one of such CSP is shown by @tom-b-wright above. Do reduce security of auth iframes Google just because of Safari console warnings - not a good idea.
1% of cases:
Safari is special. Therefore developers have a related headache like it was with IE6 few years ago.
Unchecking the Prevent cross-site tracking (default is on) solved my issue of cross site images and script loading. ( MacOS Big Sur )
Mac IPhone I hope it can help you!
The solution to remove block pop ups setting is not a solution, it more a workaround/hack, and additionally doesn't solve a thing for me.
I can't believe this is being ignored? Concurrence Google/Apple being the issue, or what is the reason a 3 years old BUG is not resolved?
Any other solution than disabling blockers?
Are there any updates here?
Are we going to get a solution?
Don't we worry - google is busy destroying our all businesses with their "core web vitals" updates and invading our all privacies with things like FLoC, while things like these or just the very GIT Thread here... are proof of how much of a authoritative instance Google is for things "good web": None!
In fact it is their broken tools, indexes not working or badly working, and other issues like ability to check your URLs only after signing up for a free analytics account (LOL) that clearly show how much they are interested on your success versus their success by gathering data for free thru their analytics services. It is a relation of 0:n (zero being their interests in your success, and n representing their interest in their success thru making you give them all data they need - for free.)
We are the fools: how did Google even become this hilarious monopoly giant? In other industries, they would be investigated for monopoly tactics and probably broken into pieces, if not sued for favouritism.
Going off topic, however, it is kind of on topic, since it all concerns the one giant PITA we deal with here: google
Any updates?
I am experiencing the same problem with Recapcha invisible and Safari.
Same here ! :(
Same here. Recaptcha v3 (with react wrapper), Safari on iOS & MacOS + Firefox on iOS
It is breaking the page as it halts the js execution. In fact some of our animated images even stop playing once the google recaptcha js script is included.
But it has worked occasionally in the past, either because my safari was auto updated on iOS or because google changed the script's policy.
Is this planned to be resolved or should we look into a different captcha library such as hCaptcha?
How do sites like mongodb make the invisible reCaptchas work in safari?
The issue still persists in Safari v14.1.2 (16611.3.10.1.6).
Though the hack with unchecking the Prevent cross-site tracking and Allowing pop-up windows for specific website in Safari Preferences works good, it doesn't solve a problem.
Running into this as well, sadly did not find any solution other than having to disable ReCaptcha (v3, invisible) for the time being. Is there any update on this? Could anyone from Google please help us out, here?
As it stands right now, apparently ReCaptcha simply does not work on Safari? Does no one care about this?
Given that they make their products virtually unusable for non-Chrome browsers (Meet, for example), it's not like they don't care, but rather, I'm sure, it is intended behaviour.
Today I have this issue in maps in google . I can't scroll up/down to change map scale and in the console see this issue. Does anyone can say where should we report this?)
Dear GAPI team. I have a security bug only on Safari. Right in between loading and initialising GAPI I get these: