What I know
1) Chrome error (see "Resources") message says recaptcha was blocked by FG Forum's Content-Security-Policy header (see "Resources"). More specifically, the script-src section. It at least appears that way.
2) Temporarily disabling CSP in Firefox fixes the issue and shows the captcha. WARNING: disabling CSP is dangerous. Know what door you're unlocking and never leave it disabled.
Known Broken Browsers:
Chrome: 95.0.4638.69 (Official Build) (64-bit)
Firefox: 93.0 (64-bit)
Opera: 80.0.4170.63
My confusion
If there hasn't been a change to the CSP on the site, I suspect it may be related to changes in how modern browsers interpret CSP.
Based on just on the console error and `script-src` settings, I would guess we just need to add `https://google.com`.
But according to MDN , `script-src 'unsafe-inline'` is basically the "F it, allow everything" source. Based on MDN's explanation of the `script-src` directive, I'm lead to believe the sources are additive which makes me think `https://google-analytics.com` is already redundant since we already have the catch-all flag. But my understanding does not predict the behavior (google.com blocked), so I'm clearly missing something. I see lots of signs that modern browsers contextually ignore 'unsafe-inline' (https://csp.withgoogle.com/docs/strict-csp.html) but I can't find detailed specifications for when.
Resources
Chrome Console error:
- Code: Select all
Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
CSP header for https://forum.flightgear.org:
Useful Excerpt: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
Entire header:
- Code: Select all
Content-Security-Policy: default-src https://forum.flightgear.org https://www.google-analytics.com; img-src *; font-src https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src https://www.youtube.com https://lbry.tv https://odysee.com;
Sources
https://developer.mozilla.org/en-US/doc ... script-src