Board index Other Forum

Content Security Policy breaks forum registration  Topic is solved

Questions about the forum itself, suggestions or issues with the forum software.

Content Security Policy breaks forum registration

Postby kmacdough » Wed Nov 03, 2021 2:59 am

The Content-Security-Policy on this forum blocks the recaptcha script, required for the new user registration. (NOTE: This is NOT an https issue).

What I know
1) Chrome error (see "Resources") message says recaptcha was blocked by FG Forum's Content-Security-Policy header (see "Resources"). More specifically, the script-src section. It at least appears that way.
2) Temporarily disabling CSP in Firefox fixes the issue and shows the captcha. :!: WARNING: disabling CSP is dangerous. Know what door you're unlocking and never leave it disabled.

Known Broken Browsers:
Chrome: 95.0.4638.69 (Official Build) (64-bit)
Firefox: 93.0 (64-bit)
Opera: 80.0.4170.63

My confusion
If there hasn't been a change to the CSP on the site, I suspect it may be related to changes in how modern browsers interpret CSP.

Based on just on the console error and `script-src` settings, I would guess we just need to add `https://google.com`.

But according to MDN , `script-src 'unsafe-inline'` is basically the "F it, allow everything" source. Based on MDN's explanation of the `script-src` directive, I'm lead to believe the sources are additive which makes me think `https://google-analytics.com` is already redundant since we already have the catch-all flag. But my understanding does not predict the behavior (google.com blocked), so I'm clearly missing something. I see lots of signs that modern browsers contextually ignore 'unsafe-inline' (https://csp.withgoogle.com/docs/strict-csp.html) but I can't find detailed specifications for when.

Resources

Chrome Console error:
Code: Select all
Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.


CSP header for https://forum.flightgear.org:
Useful Excerpt: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
Entire header:
Code: Select all
Content-Security-Policy: default-src https://forum.flightgear.org https://www.google-analytics.com; img-src *; font-src https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src https://www.youtube.com https://lbry.tv https://odysee.com;


Sources
https://developer.mozilla.org/en-US/doc ... script-src
kmacdough
 
Posts: 3
Joined: Wed Nov 03, 2021 1:54 am

Re: Content Security Policy breaks forum registration  

Postby Gijs » Wed Nov 03, 2021 11:23 am

Thanks for reporting! I've provisionally fixed it for now and will take a closer like at the options (we didn't change anything recently and registrations used to work fine).

Gijs
Airports: EHAM, EHLE, KSFO
Aircraft: 747-400
User avatar
Gijs
Moderator
 
Posts: 9544
Joined: Tue Jul 03, 2007 3:55 pm
Location: Delft, the Netherlands
Callsign: PH-GYS
Version: Git
OS: Windows 10

Re: Content Security Policy breaks forum registration

Postby kmacdough » Wed Nov 03, 2021 2:35 pm

Confirmed resolved. Thanks for the quick fix!

I've looked around quite a bit and still can't find actual specifications for how script-src sources are processed.
kmacdough
 
Posts: 3
Joined: Wed Nov 03, 2021 1:54 am

Re: Content Security Policy breaks forum registration

Postby kmacdough » Wed Nov 03, 2021 2:40 pm

For posterity, this is the CSP header that provisionally fixed the issue:

Code: Select all
Content-Security-Policy: default-src https://forum.flightgear.org https://www.google-analytics.com; img-src *; font-src https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src https://www.youtube.com https://lbry.tv https://odysee.com https://www.google.com;
kmacdough
 
Posts: 3
Joined: Wed Nov 03, 2021 1:54 am


Return to Forum

Who is online

Users browsing this forum: No registered users and 2 guests