[Issue 9573] New: GitLab sign-ups prevented by missing reCAPTCHA

Mon, 07 Jun 2021 06:39:21 -0700 

https://bugs.openldap.org/show_bug.cgi?id=9573

          Issue ID: 9573
           Summary: GitLab sign-ups prevented by missing reCAPTCHA
           Product: website
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: website
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

I keep getting errors when trying to sign up for a GitLab account at
https://git.openldap.org/users - sorry in advance if this is the wrong place to
report something like this.

An error gets returned upon each attempt saying "There was an error with the
reCAPTCHA. Please solve the reCAPTCHA again." despite there being no visible
reCAPTCHA form on the page.

Looking at the Developer Tools suggests that it may be unable to load one due
to security settings on the webpage. I have reproduced this issue on Chrome and
Firefox.

The Chrome Developer Tools message reads:
Refused to load the script 'https://www.google.com/recaptcha/api.js' because it
violates the following Content Security Policy directive: "script-src
'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net
https://apis.google.com 'nonce-xilvMBBstAueaMyGwaE7gg=='". 'strict-dynamic' is
present, so host-based allowlisting is disabled. Note that 'script-src-elem'
was not explicitly set, so 'script-src' is used as a fallback.

The Firefox Developer Tools console reads:
Content Security Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’
specified
Content Security Policy: Ignoring “'unsafe-inline'” within script-src:
‘strict-dynamic’ specified
Content Security Policy: Ignoring “https://www.recaptcha.net” within
script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https://apis.google.com” within script-src:
‘strict-dynamic’ specified
Some cookies are misusing the recommended “SameSite“ attribute 2
Content Security Policy: The page’s settings blocked the loading of a resource
at https://www.google.com/recaptcha/api.js (“script-src”).
Unable to check <input pattern='.{,}'> because the pattern is not a valid
regexp: incomplete quantifier in regular expression

My apologies for the lengthy issue description. Thanks for everything you do!

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to