search

michaelvs97 / AspNetCore.ReCaptcha

Google ReCAPTCHA v2/v3 Library for .NET Core 3.x/5.x
https://www.nuget.org/packages/AspNetCore.ReCaptcha/
MIT License
73 stars 20 forks source link

add support for CSP/nonce tags #59

Closed bentpr closed 10 months ago

bentpr commented 11 months ago

Is your feature request related to a problem? Please describe. We're using CSP on our site, which by default blocks the execution of inline scripts. Normally this can be solved by adding sha-256 value to the site's HTTP header (where the sha-256 value is dependent on the script that's expected to run), or by adding a 'nonce' value to both the HTTP header and the script tag directly

Describe the solution you'd like Ideally we could pass in a nonce to the recaptcha tag helper, so <recaptcha nonce='some_token_here'/>

which then outputs (pseudocode)

<script nonce='some_token_here' src="https://www.google.com/recaptcha/api.js..."></script> <script nonce='some_token_here'>function updateReCaptcha1() {grecaptcha.execute(...)}</script>

Describe alternatives you've considered google.com can be added to the CSP allowed sources, so that isn't so much of a problem, however the generated script ignores any additional attributes passed in to the recaptcha tag besides language.

sleeuwen commented 10 months ago

Hi @bentpr ,

Thanks for the suggestion, We've implemented this in v1.8.0 which has just been merged and should be available on nuget shortly. Please let us know if this fixes your problem.

Like you suggested, you are now able to use the following to add a nonce to the generated inline script:

<recaptcha none="add_token_here" />