-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP strict-dynamic compliance and onfocus issue #33
Comments
Hello, with strict CSP configuration, you will have to apply CSS in your app. You can use the The issues with |
Hello,
I thought inline-styles, like inline-scripts, were allowed when loaded from a script with CSP3 strict-dynamic but that's not the case so yeah I'II do the fallback solution that is working fine. The script is not responsible.
Okay I've extracted it from Github and it indeed seems to work now. Thanks. |
As suggested here, I added |
Hi, I suppose you can try a custom build without bundled css, but I'm not an expert on bundlers, what I tried didn't work. Let me know if you figure out how to make it work. Alternatively, for custom integrations, I would recommend using https://github.com/altcha-org/altcha-lib for custom components or invisible captchas. |
This is not a solutionHowever can be a way to temporary fix this issue (hopefully this may help someone to understand how to find a definitive solution) IdeaWould it be possible to include a CDN link for the component with styling and one with a separate CSS file and the component without styling? |
Now the issue is coming alter when using the widget, I'm getting multiple errors regarding a local blob being generated. Yes, I could modify my CSP Policy for allowing it, but it is not safe. What can I do to use workers in a safe way with CSP? |
Here is my solution for altcha.js : var nt = Object.defineProperty;
var it = (r, e, t) => e in r ? nt(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t;
var T = (r, e, t) => (it(r, typeof e != "symbol" ? e + "" : e, t), t);
function Q() {
}
function Ve(r) {
return r();
}
function Ie() {
return /* @__PURE__ */ Object.create(null);
}
function te(r) {
r.forEach(Ve);
}
function Ue(r) {
return typeof r == "function";
}
function ot(r, e) {
return r != r ? e == e : r !== e || r && typeof r == "object" || typeof r == "function";
}
function lt(r) {
return Object.keys(r).length === 0;
}
function v(r, e) {
if (e.localName == "style") {
return;
}
r.appendChild(e);
}
[...] Of course, you keep the rest of the script, just change the start by this. You implement alcha.css and you have no more errors. However it might be good to do a CSP-compliant scripts without inline styles/scripts so I'm reopening. |
Ok, I managed to get it build with external assets, it's in the |
Works like a charm, thank you very much! |
It's already in the version |
Hello,
Would it be possible to make CSS of Altcha compliant with strict-dynamic CSP?
Secondly, when using
onfocus
, if we click on the submit button, the validation starts again, even if already validated and not expired and therefore we cannot submit the form :/Thanks.
The text was updated successfully, but these errors were encountered: