https://bugs.openldap.org/show_bug.cgi?id=9573
Issue ID: 9573 Summary: GitLab sign-ups prevented by missing reCAPTCHA Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: website Assignee: bugs@openldap.org Reporter: max@davitt.me Target Milestone: ---
I keep getting errors when trying to sign up for a GitLab account at https://git.openldap.org/users - sorry in advance if this is the wrong place to report something like this.
An error gets returned upon each attempt saying "There was an error with the reCAPTCHA. Please solve the reCAPTCHA again." despite there being no visible reCAPTCHA form on the page.
Looking at the Developer Tools suggests that it may be unable to load one due to security settings on the webpage. I have reproduced this issue on Chrome and Firefox.
The Chrome Developer Tools message reads: Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com 'nonce-xilvMBBstAueaMyGwaE7gg=='". 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
The Firefox Developer Tools console reads: Content Security Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “https://www.recaptcha.net%E2%80%9D within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “https://apis.google.com%E2%80%9D within script-src: ‘strict-dynamic’ specified Some cookies are misusing the recommended “SameSite“ attribute 2 Content Security Policy: The page’s settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js (“script-src”). Unable to check <input pattern='.{,}'> because the pattern is not a valid regexp: incomplete quantifier in regular expression
My apologies for the lengthy issue description. Thanks for everything you do!
https://bugs.openldap.org/show_bug.cgi?id=9573
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Thanks for the report, I'm not exactly sure what to do here. It would appear to be either an issue caused by Google or Gitlab, both of which are out of our direct control.
https://bugs.openldap.org/show_bug.cgi?id=9573
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Yeah, the gitlab folks broke it:
https://gitlab.com/gitlab-org/gitlab/-/issues/332080
https://gitlab.com/gitlab-org/gitlab/-/issues/331692#note_584942846
https://bugs.openldap.org/show_bug.cgi?id=9573
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Please see if it works for you now as we're on the release that is supposed to have the fix.
https://bugs.openldap.org/show_bug.cgi?id=9573
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Resolution|TEST |FIXED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- signups are occurring again.
-
openldap-its@openldap.org