Content-Security-Policy and data URLs-images from CAPTCHA

0

I'm trying to integrate AWS WAF CAPTCHA into my website which also uses Content-Security-Policy header.

But CAPTCHA JS-library tries to load SVG-images using data:-URLs and I get the following CSP-errors:

Refused to load the image 'data:image/svg+xml;base64,PHN2ZyB3aWR0aD....gPC9zdmc+IA==' because it violates the following Content Security Policy directive: "img-src 'report-sample' 'self' <CDN-hostname>.

I don't want to allow data:-URLs. Is there any other way to deal with it?

已提問 4 個月前檢視次數 433 次
1 個回答
0

Hello,

Thank you for contacting AWS re:Post

CAPTCHA JS-library is a subnet of JavaScript API. For JavaScript integration works with CSP, you must allow access to awswaf.com domain https://docs.aws.amazon.com/waf/latest/developerguide/waf-javascript-api-csp.html

If you apply content security policies (CSP) to your resources, for your JavaScript implementation to work, you need to allowlist the AWS WAF apex domain awswaf.com.

Moreover, i would suggest you to reach out to the WAF team directly by using AWS premium support if the above solution does not work.

Thank you and Have a great day!

AWS
支援工程師
已回答 4 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南