Reactjs-captcha not working with CSP (Content-Security-Policies)

With Content-Security-Policies (**CSP**) activated, the below code in line 10 of file https://github.com/captcha-com/reactjs-captcha/blob/master/src/captcha-helper.js
```
var f = new Function(responseText);
```
is **blocked**. Indeed `Function()` method is [blocked by default by CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src). So the captcha does not work.

Therefore, to make it work, we have to add the below exception in our content security policies:
```
script-src 'unsafe-eval'.
```
This reduces the protection against certain types of DOM-based XSS bugs...

So on one side we increase the security with the captcha but in another side we decrease it by "unsafing" javascript evaluation methods.





Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Reactjs-captcha not working with CSP (Content-Security-Policies) #7

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Reactjs-captcha not working with CSP (Content-Security-Policies) #7

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions