Content-Security-Policy and data URLs-images from CAPTCHA

0

I'm trying to integrate AWS WAF CAPTCHA into my website which also uses Content-Security-Policy header.

But CAPTCHA JS-library tries to load SVG-images using data:-URLs and I get the following CSP-errors:

Refused to load the image 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD....gPC9zdmc+IA==' because it violates the following Content Security Policy directive: "img-src 'report-sample' 'self' <CDN-hostname>.

I don't want to allow data:-URLs. Is there any other way to deal with it?

asked 3 months ago404 views
1 Answer
0

Hello,

Thank you for contacting AWS re:Post

CAPTCHA JS-library is a subnet of JavaScript API. For JavaScript integration works with CSP, you must allow access to awswaf.com domain https://docs.aws.amazon.com/waf/latest/developerguide/waf-javascript-api-csp.html

If you apply content security policies (CSP) to your resources, for your JavaScript implementation to work, you need to allowlist the AWS WAF apex domain awswaf.com.

Moreover, i would suggest you to reach out to the WAF team directly by using AWS premium support if the above solution does not work.

Thank you and Have a great day!

AWS
SUPPORT ENGINEER
Ansh_C
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions