Skip to content

reCaptcha fails to load when default Content Security Policy settings are enabled

Summary

We use Google's reCaptcha to protect against brute force logins. We have noticed that after upgrading to 13.12.1 that the Content Security Policy now blocks reCaptcha from loading. This prevents people from logging in.

After searching I have found that the reCaptcha integration is missing the nonce field in the script HTML element. Which interferes with the default usage of CSP's 'strict-dynamic'.

Steps to reproduce

  1. Install/upgrade to GitLab 13.12.
  2. Enable reCaptcha integration for login.
  3. Start a new private browser window pointed to the sign in page of your GitLab installation.
  4. Observe the Web Developer's Network tab to see it block loading of reCaptcha.

What is the current bug behavior?

reCaptcha fails to load on the sign in page due to nonce field missing in the script element. Nonce field is required by the default Content Security Policy's 'strict-dynamic' setting.

What is the expected correct behavior?

reCaptcha should be loading and allowing people to sign in.

Relevant logs and/or screenshots

https://b2.thomasjosif.com/file/thomasjosif/img/chrome_wKDv9hDY5j.png https://b2.thomasjosif.com/file/thomasjosif/img/chrome_kCq3EdHW4c.png

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
root@web5-gitlab:~# sudo gitlab-rake gitlab:env:info

System information
System:         Ubuntu 20.04
Current User:   git
Using RVM:      no
Ruby Version:   2.7.2p137
Gem Version:    3.1.4
Bundler Version:2.1.4
Rake Version:   13.0.3
Redis Version:  6.0.12
Git Version:    2.31.1
Sidekiq Version:5.2.9
Go Version:     unknown

GitLab information
Version:        13.12.1
Revision:       bec931306a7
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.6
URL:            https://gitlab.hgdc.co
HTTP Clone URL: https://gitlab.hgdc.co/some-group/some-project.git
SSH Clone URL:  git@gitlab.hgdc.co:some-group/some-project.git
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        13.18.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
root@web5-gitlab:~# sudo gitlab-rake gitlab:check SANITIZE=true
Checking GitLab subtasks ...

Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.18.0 ? ... OK (13.18.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Checking Reply by email ...


IMAP server credentials are correct? ... Exception: Tried to load unspecified class: Symbol
Init.d configured correctly? ... skipped
MailRoom running? ... skipped


Checking Reply by email ... Finished


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
13/3 ... yes
47/4 ... yes
8/5 ... yes
8/6 ... yes
8/7 ... yes
13/8 ... yes
19/11 ... yes
140/13 ... yes
36/14 ... yes
35/15 ... yes
8/16 ... yes
8/17 ... yes
19/18 ... yes
36/19 ... yes
47/20 ... yes
49/21 ... yes
49/22 ... yes
8/25 ... yes
36/26 ... yes
8/27 ... yes
13/28 ... yes
13/29 ... yes
13/30 ... yes
19/33 ... yes
13/34 ... yes
19/37 ... yes
62/38 ... yes
63/40 ... yes
68/43 ... yes
13/52 ... yes
63/53 ... yes
8/55 ... yes
35/56 ... yes
8/57 ... yes
63/58 ... yes
13/59 ... yes
63/60 ... yes
13/61 ... yes
13/64 ... yes
85/65 ... yes
85/66 ... yes
85/67 ... yes
85/68 ... yes
85/69 ... yes
85/70 ... yes
85/71 ... yes
85/72 ... yes
86/73 ... yes
86/74 ... yes
86/75 ... yes
86/76 ... yes
86/77 ... yes
86/78 ... yes
86/79 ... yes
13/80 ... yes
13/82 ... yes
13/83 ... yes
13/84 ... yes
13/85 ... yes
62/86 ... yes
13/88 ... yes
97/89 ... yes
98/90 ... yes
98/91 ... yes
101/93 ... yes
101/94 ... yes
101/95 ... yes
101/96 ... yes
101/98 ... yes
101/99 ... yes
8/100 ... yes
101/101 ... yes
106/102 ... yes
8/103 ... yes
13/104 ... yes
108/105 ... yes
19/106 ... yes
62/107 ... yes
19/108 ... yes
109/109 ... yes
13/110 ... yes
8/111 ... yes
19/112 ... yes
19/114 ... yes
13/115 ... yes
106/116 ... yes
13/117 ... yes
13/118 ... yes
106/119 ... yes
120/120 ... yes
120/121 ... yes
8/122 ... yes
8/123 ... yes
63/124 ... yes
35/125 ... yes
132/126 ... yes
8/127 ... yes
8/128 ... yes
35/129 ... yes
62/130 ... yes
62/131 ... yes
140/132 ... yes
63/133 ... yes
101/134 ... yes
62/135 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.2)
Git version >= 2.31.0 ? ... yes (2.31.1)
Git user has default SSH configuration? ... yes
Active users: ... 31
Is authorized keys file accessible? ... skipped (authorized keys not enabled)
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... no
Try fixing it:
Please migrate all projects to hashed storage
as legacy storage is deprecated in 13.0 and support will be removed in 14.0.
For more information see:
doc/administration/repository_storage_types.md


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

Workaround 
gitlab_rails['content_security_policy'] = {
    enabled: true,
    report_only: false,
    directives: {
      default_src: "'self'",
      base_uri: "'self'",
      child_src: "'none'",
      connect_src: "'self'",
      font_src: "'self'",
      form_action: "'self' https: http:",
      frame_ancestors: "'self'",
      frame_src: "'self' https://www.recaptcha.net/ https://www.google.com https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloud>
      img_src: "'self' data: blob: http: https:",
      manifest_src: "'self'",
      media_src: "'self'",
      script_src: "'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://www.google.com https://apis.google.com",
      style_src: "'self' 'unsafe-inline'",
      worker_src: "'self'",
      object_src: "'none'",
      report_uri: nil
    }
}
Edited by Dominic Couture