Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

Content-Security-Policy and data URLs-images from CAPTCHA

0

I'm trying to integrate AWS WAF CAPTCHA into my website which also uses Content-Security-Policy header.

But CAPTCHA JS-library tries to load SVG-images using data:-URLs and I get the following CSP-errors:

Refused to load the image 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD....gPC9zdmc+IA==' because it violates the following Content Security Policy directive: "img-src 'report-sample' 'self' <CDN-hostname>.

I don't want to allow data:-URLs. Is there any other way to deal with it?

Sujets
Sécurité, identité et conformitéFramework AWS Well-Architected
Balises
AWS WAFSécurité
Langue
English
demandé il y a 2 ans660 vues
1 réponse
0

Hello,

Thank you for contacting AWS re:Post

CAPTCHA JS-library is a subnet of JavaScript API. For JavaScript integration works with CSP, you must allow access to awswaf.com domain https://docs.aws.amazon.com/waf/latest/developerguide/waf-javascript-api-csp.html

If you apply content security policies (CSP) to your resources, for your JavaScript implementation to work, you need to allowlist the AWS WAF apex domain awswaf.com.

Moreover, i would suggest you to reach out to the WAF team directly by using AWS premium support if the above solution does not work.

Thank you and Have a great day!

AWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents