8

I'm building a Chrome Extension that interacts with an API that I wish to protect using Google recatcha, as I'm intending for it to be used beyond just the Chrome Extension. The API side is working, correctly verifying a recaptcha response with Google, however, displaying the recatcha widget inside the extension's browser action window is resulting in the following javascript error: 

Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('chrome-extension://pjhcgfibbbmibojnlkgjejaojpokgldl:80') does not match the recipient window's origin ('chrome-extension://pjhcgfibbbmibojnlkgjejaojpokgldl').

which is generated in recaptcha_en.js at the line:

(a.window || ne(a.Tg)).postMessage(JSON.stringify({
        message: c || null ,
        messageType: b
    }), Zj(a.path));

The problem seems to be that the value of a.path is chrome-extension://pjhcgfibbbmibojnlkgjejaojpokgldl:80 but I don't know how I can affect this value.

The result of this error is that the recaptcha widget displays a message saying:

Please upgrade to a supported browser to get a reCAPTCHA challenge.

I'm displaying the widget via the auto render method, but have also tried the explicit method which results in the same error. For info, I'm using the following content_security_policy:

script-src 'self' https://*.google.com https://*.gstatic.com; object-src 'self'

Is there any way I can get this to work in my extension? And if not, what is the best alternative method for integrating recaptcha?

Rich Browne
  • 313
  • 3
  • 11
  • I haven't tried it but I think it is not possible to add captcha in extension as it block due to [Content-Security-Policy](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/zwUKe98g7r0). As the error in the recaptcha widgets display, have you updated your browser? – Android Enthusiast Jul 18 '16 at 05:39
  • 1
    Content security policy does not seem to be the cause of the issue as I've set the policy (noted in the original post) so that the remote scripts load correctly. The error seems to come when the recapture script tries to run window.postMessage setting the second parameter (targetOrigin) explicitly with port 80, which is different to the recipient window's origin. I don't know why it's explicitly setting port 80 in the origin or whether I can get around this. – Rich Browne Jul 18 '16 at 07:51
  • I've asked here: https://groups.google.com/forum/#!topic/recaptcha/6O4MTigYVPw – Martin Ždila Sep 29 '16 at 09:09

1 Answers1

3

In recaptcha v3

manifest.json "content_security_policy": "script-src 'self' https://.google.com https://.gstatic.com; object-src 'self'"

ADD CHROME EXTENCION ID TO ALLOWED DOMAINS IN RECAPTCHA ADMIN CONSOLE

chrome-extension://aailnablglhloogfnpkgddnjjfimhhhg

so you just put "aailnablglhloogfnpkgddnjjfimhhhg" without chrome-extension://

Sergio Quintero
  • 119
  • 13