GitLab has a runtime dependency on a non-FOSS reCAPTCHA library provided by Google

Summary

GitLab relies on a Google-supplied reCAPTCHA library that is reportedly proprietary code: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/assets/javascripts/vue_shared/components/recaptcha_modal.vue#L22 -> https://www.google.com/recaptcha/api.js -> https://www.gstatic.com/recaptcha/api2/v1523860362251/recaptcha__en.js

This library is used in the frontend "recaptcha" modal, which is displayed when editing an issue description without refreshing the whole page.

I can't find a reference to the license of this code anywhere, so I'm not certain that the reported license is correct. We should resolve this before taking concrete action, but I don't think hotlinking JS to external sites is a good idea in general anyway.

Steps to reproduce

• Create a new issue
• Edit the issue, add lots of links to the issue
• Observe the modal come up and load code from the above google.com URL.

What is the current bug behavior?

(Possibly) proprietary JS is loaded from google.com and run in the user's browser:

I was hoping to validate this myself on GitLab.com but failed to construct an issue that caused reCAPTCHA to be triggered. I'll keep trying. Until then, this is entirely user-reported.

What is the expected correct behavior?

No external code should be loaded. No JS run by the browser via GitLab should have a proprietary license.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Output of checks

This bug happens on GitLab.com