flask-wtf icon indicating copy to clipboard operation
flask-wtf copied to clipboard
verified publisher icon wtforms

Allow nonce-based CSP for reCAPTCHA

Open kesara opened this issue 8 years ago • 3 comments

For more secure CSP rules FlaskWTF reCAPTCHA should allow providing nonce when using reCAPTCHA and include that nonce in the script tag which loads api.js.

More information: https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website-how-can-i-configure-it-to-work-with-recaptcha

kesara avatar Oct 23 '17 22:10 kesara

That link is unclear about how to use a nonce. If you know what needs to happen, please open a PR.

davidism avatar Oct 24 '17 02:10 davidism

I think my PR should address the issue of inserting nonce to the script tag. But getting it working needs adding that nonce to the HTTP CSP header, I don't think that should be part of this library.

kesara avatar Oct 24 '17 10:10 kesara

well, also try adding the nonce in <head> tag.

songsammy avatar Jun 01 '22 03:06 songsammy