Current Project:
- ASP.NET 4.5.2
- MVC 5
- HTML5 Boilerplate
- Google ReCaptcha (any NuGet package, take your pick, I’ve already churned through three of them)
So it appears that anything from outside the site I am developing gets stopped, cold, by the Content Security Policy. Yes, there is supposed to be a Google ReCaptcha at the bottom of that form. Don’t see it? Yeah… This is despite things like ajax.googleapis.com being supposedly “whitelisted” through FilterConfig.cs.
When I go to my site and try to load it, I get the console error:
Content Security Policy: The page's settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js ("script-src http://http://www.taskgenerator.ca http://localhost:* http://ajax.googleapis.com http://ajax.aspnetcdn.com").
When I add www.google.com to the CspScriptSrcAttribute() inside FilterConfig.cs, I get the following error:
Content Security Policy: The page's settings blocked the loading of a resource at https://www.gstatic.com/recaptcha/api2/r20160913151359/recaptcha__en.js ("script-src http://http://www.taskgenerator.ca http://localhost:* http://www.google.com http://ajax.googleapis.com http://ajax.aspnetcdn.com").
When I add www.gstatic.com I get the following error:
Content Security Policy: The page's settings blocked the loading of a resource at https://www.google.com/recaptcha/api2/anchor?k=6LdHZB4TAAAAAMj_6F7h1ahYTNAjtHqRvWLj_FBx&co=aHR0cDovL3Rhc2tnZW5lcmF0b3IubG9jYWxob3N0Ojgw&hl=en&v=r20160913151359&size=normal&cb=lvhf93b5gk4z ("default-src 'none'").
despite having already whitelisted www.google.com as per above.
This is happening all the way down the &#$!%(@ rabbit hole. There doesn’t seem to be an end to it. All I want is to add a stupid ReCaptcha to the site -- how hard should that be??
I am being seriously convinced to gratuitously tear the HTML5 boilerplate from the project and go it raw/custom/default just to avoid these intractable show-stopping critical bugs.
Please tell me:
- How to turn OFF CSP from within the HTML5 Boilerplate, or
- How to correct this issue for a feature that should already be whitelisted (Google API).
The HTML5 MVC Boilerplate page provides ZERO advice in this regard.
EDIT:
The code within my FilterConfig.cs was originally as such:
filters.Add(
new CspScriptSrcAttribute() {
CustomSources = string.Join(
" ",
#if DEBUG
"localhost:*",
#endif
ContentDeliveryNetwork.Google.Domain,
ContentDeliveryNetwork.Microsoft.Domain
),
Self = true,
});
With the constants (contentdeliverynetwork.cs) as such:
public static class ContentDeliveryNetwork {
public static class Google {
public const string Domain = "ajax.googleapis.com";
public const string JQueryUrl = "//ajax.googleapis.com/ajax/libs/jquery/2.2.3/jquery.min.js";
}
public static class MaxCdn {
public const string Domain = "maxcdn.bootstrapcdn.com";
public const string FontAwesomeUrl = "//maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css";
}
public static class Microsoft {
public const string Domain = "ajax.aspnetcdn.com";
public const string JQueryValidateUrl = "//ajax.aspnetcdn.com/ajax/jquery.validate/1.15.0/jquery.validate.min.js";
public const string JQueryValidateUnobtrusiveUrl = "//ajax.aspnetcdn.com/ajax/mvc/5.2.3/jquery.validate.unobtrusive.min.js";
public const string ModernizrUrl = "//ajax.aspnetcdn.com/ajax/modernizr/modernizr-2.8.3.js";
public const string BootstrapUrl = "//ajax.aspnetcdn.com/ajax/bootstrap/3.3.6/bootstrap.min.js";
}
}
And even a modification to the following:
filters.Add(
new CspScriptSrcAttribute() {
CustomSources = string.Format("google.com www.gstatic.com www.google.com localhost:* ajax.googleapis.com ajax.aspnetcdn.com"),
Self = true,
});
does not help.
Chrome normally tells you what is being blocked as you've found. You just need to add all of the exceptions it tells you about. That said, if you want to turn off CSP, comment out the following line: