5034 ERROR_INVALID_FORMID and other errors with recaptcha enabled in chrome and some other browsers

[alessandroere]

Hi,
with version 2.0.6 and 2.0.7 i get this errore when i try to login to the web app.
PWM 5034 The browser session is invalid or has expired. Please try again.
I tried different browser but i get same error

PWM is a docker container that until 2 days ago works like a charm but now it generate this error.
From docker container logs i get this error:

2025-02-05T17:02:43Z, FATAL, servlet.AbstractPwmServlet, {0NOBX} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce missing)
2025-02-05T17:02:43Z, ERROR, http.PwmResponse, {0NOBX} 5034 ERROR_INVALID_FORMID (form nonce missing)
2025-02-05T17:02:44Z, FATAL, servlet.AbstractPwmServlet, {0NOBX} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce incorrect)
2025-02-05T17:02:44Z, ERROR, http.PwmResponse, {0NOBX} 5034 ERROR_INVALID_FORMID (form nonce incorrect)

[jrivard]

If you try in a private browser does it work? Are you using a load-balancer or proxy in front of PWM? If so try clearing cache or restarting those services, and check if you get an error going directly to PWM.

…

On Wed, Feb 5, 2025 at 12:24 PM Alessandro Eredia ***@***.***> wrote: Hi, with version 2.0.6 and 2.0.7 i get this errore when i try to login to the web app. PWM 5034 The browser session is invalid or has expired. Please try again. I tried different browser but i get same error PWM is a docker container that until 2 days ago works like a charm but now it generate this error. From docker container logs i get this error: 2025-02-05T17:02:43Z, FATAL, servlet.AbstractPwmServlet, {0NOBX} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce missing) 2025-02-05T17:02:43Z, ERROR, http.PwmResponse, {0NOBX} 5034 ERROR_INVALID_FORMID (form nonce missing) 2025-02-05T17:02:44Z, FATAL, servlet.AbstractPwmServlet, {0NOBX} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce incorrect) 2025-02-05T17:02:44Z, ERROR, http.PwmResponse, {0NOBX} 5034 ERROR_INVALID_FORMID (form nonce incorrect) — Reply to this email directly, view it on GitHub <#711>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACBPZFE5JHRKB5IUOOHUVKD2OJCNDAVCNFSM6AAAAABWRTPNVCVHI2DSMVQWIX3LMV43ASLTON2WKOZSHAZTGNJTHEYDMNY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jjyoo38]

@jrivard
I also experiencing the same problem since yesterday. I have 15 restore point images of PWM, but even if I restore to the oldest backup image, I get the same error. I don't know the cause. My PWM server is running on Windows and the version is 2.0.6. The ldap profile test passes normally. private browser does have same problem. i have no LB or proxy in front of PWM.
The same error occurs even when connected to the localhost browser.

2025-02-06T15:38:11Z, FATAL, servlet.AbstractPwmServlet, {goOsN} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce missing) [10.5.1.1]
2025-02-06T15:38:11Z, ERROR, http.PwmResponse, {goOsN} 5034 ERROR_INVALID_FORMID (form nonce missing) [10.5.1.1]
2025-02-06T15:38:11Z, FATAL, servlet.AbstractPwmServlet, {goOsN} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce incorrect) [10.5.1.1]
2025-02-06T15:38:11Z, ERROR, http.PwmResponse, {goOsN} 5034 ERROR_INVALID_FORMID (form nonce incorrect) [10.5.1.1]
2025-02-06T15:38:42Z, FATAL, servlet.AbstractPwmServlet, {goOsN} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce missing) [10.5.1.1]
2025-02-06T15:38:42Z, ERROR, http.PwmResponse, {goOsN} 5034 ERROR_INVALID_FORMID (form nonce missing) [10.5.1.1]

[jjyoo38]

@alessandroere @jrivard
OK, I found a solution. If you disable recaptcha, you can log in. It seems there is currently a problem with Google's recaptcha.
However, since it is a security vulnerability, I think it should be resolved as soon as possible. Could you please investigate whether this is a Google problem or a PWM problem?

[alessandroere]

Hi,
for @jrivard -> Yes, i tried with different browser, private browser mode but nothing. Same error. I tried to delete the cache browser but nothing. I don't have reverse proxy or lb before pwm container. I can't try to login direct on server because it's a ubuntu server without interface
I also tried to bring down and bring up the container without success

For @jjyoo38. I disabled Google Recaptcha and now it works but how can i undestand if the problem is google or PWM.
There are some test that can i do?

Thank you

[jjyoo38]

@alessandroere
sorry i requested it to @jrivard . not you. 😂

[poregan111]

Same issue flagged today. It was content security.
connect-src 'self' https://www.recaptcha.net;

[mislek]

I am having the same issue. It is PWM problem not a Google Captcha problem. Please also note that the Captcha V2 Invisible mode is also not working. No one can login to PWM when captcha is enabled on ANY form. We had to delete it on all which is a major security concern.

2025-02-07T18:51:06Z, FATAL, servlet.AbstractPwmServlet, {08fpr} unexpected error: 5034 ERROR_INVALID_FORMID (form nonce missing) [128.150.206.108]
2025-02-07T18:51:06Z, ERROR, http.PwmResponse, {08fpr} 5034 ERROR_INVALID_FORMID (form nonce missing) [128.150.206.108]

[jrivard]

I'm not able to reproduce this on my 2.0.7 test system.

Based on @poregan111 comment and some of my own research this may be a problem with the content-security-policy set by PWM and a change in recaptcha or browser update.

Questions:

1. What browser does this issue occur in (particularly, does it occur in firefox or safari?)
2. If the value for the PWM content-security-policy is cleared does the issue still occur?: ' Settings ⇨ Security ⇨ Web Security ⇨ HTTP Content Security Policy Header' (remove value)
3. Can someone having the issue paste the browser javascript console: In browser go to developer tools (F12): Console Tab -> Load page with PWM recpatcha issue -> Copy contents. In my case I see:

loaded client data
main.js:431 loaded locale bundle data for Config
main.js:431 loaded locale bundle data for Display
main.js:431 loaded locale bundle data for Admin
main.js:431 initPage completed
newuser:246 reached google recaptcha onload callback
configmanager.js:350 initConfigHeader completed

[jjyoo38]

@jrivard

1. it occurs on chrome, safari, edge. not on firefox.
2. after cleared value for the PWM content-security-policy, it works well.
3. attached screenshot
   

[Danilo587]

Hi all, i'have the same issue, how can disable recaptcha? I have pwm 2.0.7 in .war

[jrivard]

@jjyoo38 Thanks for your help. However, I'm not able to read the screenshot well - I can only read english. I can't tell for sure if the console output is complete in that image. Can you please copy/paste the contents of the console window text. I'm specifically looking for any errors in the console that would help me diagnose/reproduce the issue. If there are no errors in edge do any of the other browsers show errors in the console output?

[jjyoo38]

@jrivard OK, i attached saved console log from chrome browser.(I changed my site name in the logs to blahblah.)

================================================================================
VM206:1 Refused to load the script 'blob:https://blahblah/8804eed1-4ba5-4c79-b29f-3c46181e6c16' because it violates the following Content Security Policy directive: "script-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ 'self' 'unsafe-eval' 'nonce-s2PSu7AZvFylZ5Hk+S8Cz4jBKnQBc8PT'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(anonymous) @ VM206:1
(anonymous) @ VM206:1
login:108 reached google recaptcha onload callback
main.js:431 loaded locale bundle data for Display
main.js:431 loaded client data
main.js:431 initPage completed
Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
login:102 captcha completed, passed
recaptcha__ko.js:1100 Refused to connect to 'https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Fetch API cannot load https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl. Refused to connect because it violates the document's Content Security Policy.
(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Refused to connect to 'https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
M..throw @ recaptcha__ko.js:198
a @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Fetch API cannot load https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl. Refused to connect because it violates the document's Content Security Policy.
(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
M..throw @ recaptcha__ko.js:198
a @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Refused to connect to 'https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
M..throw @ recaptcha__ko.js:198
a @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Fetch API cannot load https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl. Refused to connect because it violates the document's Content Security Policy.
(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
M..throw @ recaptcha__ko.js:198
a @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Refused to connect to 'https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
M..throw @ recaptcha__ko.js:198
a @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590
recaptcha__ko.js:1100 Fetch API cannot load https://www.recaptcha.net/recaptcha/api2/clr?k=6LeA3_8pAAAAAB_JolfpgvPTwqSBcUZ00LJUuNFl. Refused to connect because it violates the document's Content Security Policy.
(anonymous) @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:137
M..throw @ recaptcha__ko.js:198
a @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
i1.send @ recaptcha__ko.js:1100
(anonymous) @ recaptcha__ko.js:413
(anonymous) @ recaptcha__ko.js:397
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:397
Promise.then
(anonymous) @ recaptcha__ko.js:397
q6.A @ recaptcha__ko.js:1123
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:223
(anonymous) @ recaptcha__ko.js:137
(anonymous) @ recaptcha__ko.js:198
L @ recaptcha__ko.js:153
Promise.then
H @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:153
(anonymous) @ recaptcha__ko.js:91
(anonymous) @ recaptcha__ko.js:222
(anonymous) @ recaptcha__ko.js:48
Yv @ recaptcha__ko.js:754
l @ recaptcha__ko.js:590

[jjyoo38]

@Danilo587
open the PWMConfiguration.xml file and edit configIsEditable to true.
and go to Configuration Editor -> Settings -> Captcha
uncheck the Captcha protected pages

[Danilo587]

@jjyoo38 Thank you so much! Yesterday, i have installed old version of firefox browser for reach the config page.
The solutions of clear value in the CSP working fine.

Thanks you

[alessandroere]

hi @Danilo587 can you explain how to clear CSP value?
Thank you

[Danilo587]

@alessandroere after login in /pwm/private path, you need to choose in the menù "More options", then "Configure Editor". Using your Configuration Password and in the Settings section, Security, Web Security.
Find "HTTP Content Security Policy Header" then remove all value.

[alessandroere]

Thanks @Danilo587. I did it but i deleted the value from xml file configuration. On the GUI i can't leave that value empty

[jrivard]

Be advised, clearing the content security policy is a temporary workaround at best. Clearing the CSP value exposes PWM to potential security vulnerabilities.

[jrivard]

Thanks @jjyoo38 that was helpful.

Can someone having this problem please test the following value for the content security policy setting?

default-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/  https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ 'self' 'unsafe-eval' 'nonce-%NONCE%'; frame-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/; report-uri @PwmContextPath@/public/api?processAction=cspReport; connect-src 'self' https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/

This adds the connect-src directive which may resolve the error.

[jjyoo38]

@jrivard that value ​​works fine. thank you

[alessandroere]

@jrivard it works. Thank you

[jrivard]

Resolved with commit a882efc