https://bugs.openldap.org/show_bug.cgi?id=9573
Issue ID: 9573 Summary: GitLab sign-ups prevented by missing reCAPTCHA Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: website Assignee: bugs@openldap.org Reporter: max@davitt.me Target Milestone: ---
I keep getting errors when trying to sign up for a GitLab account at https://git.openldap.org/users - sorry in advance if this is the wrong place to report something like this.
An error gets returned upon each attempt saying "There was an error with the reCAPTCHA. Please solve the reCAPTCHA again." despite there being no visible reCAPTCHA form on the page.
Looking at the Developer Tools suggests that it may be unable to load one due to security settings on the webpage. I have reproduced this issue on Chrome and Firefox.
The Chrome Developer Tools message reads: Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com 'nonce-xilvMBBstAueaMyGwaE7gg=='". 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
The Firefox Developer Tools console reads: Content Security Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “https://www.recaptcha.net%E2%80%9D within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “https://apis.google.com%E2%80%9D within script-src: ‘strict-dynamic’ specified Some cookies are misusing the recommended “SameSite“ attribute 2 Content Security Policy: The page’s settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js (“script-src”). Unable to check <input pattern='.{,}'> because the pattern is not a valid regexp: incomplete quantifier in regular expression
My apologies for the lengthy issue description. Thanks for everything you do!