Recaptcha not showing up

Hi, I am using Typhoon, with a form in a modular page. On localhost the recaptcha field shows up, but not online. The form plugin is up to date and filled in with the right recaptcha thingies.
When loading the page Console gives the following error:

Refused to load the script '' because it violates the following Content Security Policy directive: "default-src 'self' data: 'unsafe-inline' 'unsafe-eval' * *". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Here is the frontmatter of the form page

title: 'Neem contact op'
subtitle: 'Meer weten?'
section_classes: 'bg-primary-darker text-primary-lighter py-8 md:py-24'
title_text: light
cache_enable: false
    name: contact
    action: '/#neem-contact-op'
    inline_errors: true
            label: Name
            display_label: false
            placeholder: '* Je naam'
            autocomplete: 'on'
            type: text
                required: true
            label: Email
            display_label: false
            placeholder: '* Je emailadres'
            type: email
                required: true
            label: Phone
            display_label: false
            placeholder: 'Je telefoonnummer (WhatsApp of Signal) (optioneel)'
            type: text
            label: Message
            display_label: false
            placeholder: '* Je bericht'
            type: textarea
            rows: 4
                required: true
            label: Captcha
            type: captcha
            recaptcha_not_validated: 'Captcha not valid!'
            type: submit
            classes: 'bg-gray-600 hover:bg-gray-900'
            value: Versturen
        captcha: true
        message: '<b>Merci!</b> Wij hebben je bericht gekregen en zullen asap contact opnemen.'
            from: '{{ }}'
            to: '{{ }}'
            subject: '[Site Contact Form] {{|e }}'
            body: '{% include ''forms/data.html.twig'' %}'

Hi, I believe your online webserver is setup to use CSP directives which prevents loading remote scripts if not setup.

I found this documentation from Google Developers that instructs on how to enable captcha in the CSP directive, probably this is configurable somewhere in your web hosting admin panel, if you can’t find it I would suggest opening a ticket so they can quickly sort that for you.

Thanks for you reply. I placed a ticket at my hosting company. Funny things is, that on a subdomain page, the captcha does show.

Main page: (form is at the bottom)
Subdomain page:

@TonHaarmans, Not an expert in any way on the topic, but did some googling anyway…

From the HTML of your sites:

  • Your main site, using theme Typhoon, contains:

    <meta http-equiv="Content-Security-Policy" content="default-src &#039;self&#039; data: &#039;unsafe-inline&#039; &#039;unsafe-eval&#039; * *;" />

    This meta-tag is used to reduce the risk of XSS attacks. See link to Stackoverflow below.

  • Your subdomain, using different theme, does not contain the meta-tag.


Thanks a lot Pamtbaau! I could remove this meta tag and then indeed the captcha turned up, but now I probably have less security. I have been looking for an improved tag, but could not find one, probably because I don’t understand. I also tried the original tag but with the entities replaced with apostrophe, but that did not help. Perhaps I should report a bug…

This is the first time I see this meta-tag, so I don’t think you will be in danger immediately…

Perhaps I should report a bug…

I would… :wink:

yes, I am busy with it :slight_smile:

We are working on fixing the meta so it doesn’t escape single quotes. Thanks!

This is now resolved @TonHaarmans (Fixed issue with `content-security-policy` not being properly support… · getgrav/grav@9964285 · GitHub), will be available in next Grav release.

Thanks also @pamtbaau for helping with this

Hi, I saw that it is resolved in the latest Grav update, but now I don’t know how to get the content-security-policy meta tag back… Can you help me?

@TonHaarmans, Probably by undoing what you did before to fix the issue temporarily…

I could remove this meta tag and then indeed the captcha turned up,

Yes, I figured that one out too and I uncommented the line {% include ‘partials/metadata.html.twig’ %} in base.html.twig. Emptied all caches, but the meta tag did not returned. Probably there is some more, but I can’t remember…

@TonHaarmans, What woud a developer be without Git to revert changes :wink:

I know. I should have documented it. But I didn’t. And I am not a developer, but a graphic designer with some skills in HTML, CSS and some JS…