我正在尝试使用require-trusted-types-for 'script'Chrome 83 中可用的新标头,它给我的网站中的 reCAPTCHA 表单带来了问题。
为了进行测试,我使用了这个版本的标头,它有助于将问题记录到控制台:
Content-Security-Policy-Report-Only: require-trusted-types-for 'script';
当我导航到我的站点中包含 reCAPTCHA 的页面时,我可以提供 URL https://www.google.com/recaptcha/api.js包裹在一个TrustedType对象中作为一个TrustedScriptURL没有问题的对象。那没问题。
但是,api.js文件本身包含src触发此错误的赋值:
This document requires 'TrustedScriptURL' assignment.
(anonymous) @ api.js:1
(anonymous) @ api.js:1
触发错误的代码api.js是:
po.src = 'https://www.gstatic.com/recaptcha/releases/ADnAC3ZykfbIOflWgrKNsVVT/recaptcha__en.js';
代码本身也会触发相同类型的recaptcha__en.js错误,但这次需要一个受信任的 html 对象:
recaptcha__en.js:formatted:2690 [Report Only] This document requires 'TrustedHTML' assignment.
(anonymous) @ recaptcha__en.js:formatted:2662
(anonymous) @ recaptcha__en.js:formatted:2180
Ph.bottomright.border-radius.render @ recaptcha__en.js:formatted:14714
(anonymous) @ recaptcha__en.js:formatted:599
(anonymous) @ recaptcha__en.js:formatted:5386
(anonymous) @ recaptcha__en.js:formatted:2879
ZI @ recaptcha__en.js:formatted:10647
(anonymous) @ recaptcha__en.js:formatted:4051
(anonymous) @ recaptcha__en.js:formatted:696
(anonymous) @ recaptcha__en.js:formatted:696
(anonymous) @ recaptcha__en.js:formatted:4202
(anonymous) @ recaptcha__en.js:formatted:536
(anonymous) @ recaptcha__en.js:formatted:5151
(anonymous) @ recaptcha__en.js:formatted:536
(anonymous) @ recaptcha__en.js:formatted:14832
(anonymous) @ recaptcha__en.js:formatted:15037
由于 Google 未对其中的代码进行api.js清理,因此无法在标头生效的情况下执行它。有解决方法吗?或者是否有一个标志强制谷歌返回一个api.js将src赋值包装在TrustedType对象中的版本?
reCAPTCHA 如何与可信类型强制结合使用?