I'm using Content-Security-Policy (CSP) on my website. And have setup CSP as below as per mentioned at the google developers documentation (Frequently Asked Questions | reCAPTCHA | Google for Developers😞
- script-src https://www.google.com/recaptcha/, https://www.gstatic.com/recaptcha/
- frame-src https://www.google.com/recaptcha/, https://recaptcha.google.com/recaptcha/
But browser devtools console indicated that is an error related to CSP occurred which related to CSP's directive "connect-src". But as I find thru the developer's documentation, can't find any document mentioned that we need to setup for "connect-src" as well.
My question is that is it necessary to setup CSP's directives "connect-src"? If yes, is there any document highlighted about it?
I’m also encountering the same issue, and your thread describes exactly what I’ve been running into. I followed the official Google reCAPTCHA documentation step by step, setting up script-src and frame-src exactly as shown, but the browser console still complains about a missing connect-src directive. Like you, I couldn’t find any mention of connect-src in the official docs, which makes it confusing — especially since most guides only cover scripts and frames for reCAPTCHA integration.
In my case, the errors show up specifically when the reCAPTCHA widget tries to validate or make background network calls. It seems that reCAPTCHA relies on certain API endpoints under *.google.com or *.gstatic.com that require explicit permission in connect-src. Without adding those, the console keeps flagging policy violations even though everything else is configured.
I’ve also been digging for official guidance, but documentation is either outdated or incomplete on this point. It would be great if Google clarified which hosts need to be included for connect-src in particular, since it seems unavoidable if we want a strict CSP setup. For now, I’m testing with broader allowances (like adding https://www.google.com and https://www.gstatic.com under connect-src), but I’d prefer a definitive list rather than trial and error.
If you or anyone else here finds an authoritative resource or exact domains required for reCAPTCHA’s connect-src, I’d really appreciate it — because I’m facing the same headache right now.
I'm using Content-Security-Policy (CSP) on my website. And have setup CSP as below as per mentioned at the google developers documentation (Frequently Asked Questions | reCAPTCHA | Google for Developers😞
- script-src https://www.google.com/recaptcha/, https://www.gstatic.com/recaptcha/
- frame-src https://www.google.com/recaptcha/, https://recaptcha.google.com/recaptcha/
But browser devtools console indicated that is an error related to CSP occurred which related to CSP's directive "connect-src". But as I find thru the developer's documentation, can't find any document mentioned that we need to setup for "connect-src" as well.
My question is that is it necessary to setup CSP's directives "connect-src"? If yes, is there any document highlighted about it?
I’m also encountering the same issue, and your thread describes exactly what I’ve been running into. I followed the official Google reCAPTCHA documentation step by step, setting up script-src and frame-src exactly as shown, but the browser console still complains about a missing connect-src directive. Like you, I couldn’t find any mention of connect-src in the official docs, which makes it confusing — especially since most guides only cover scripts and frames for reCAPTCHA integration.
In my case, the errors show up specifically when the reCAPTCHA widget tries to validate or make background network calls. It seems that reCAPTCHA relies on certain API endpoints under *.google.com or *.gstatic.com that require explicit permission in connect-src. Without adding those, the console keeps flagging policy violations even though everything else is configured on my this website.
I’ve also been digging for official guidance, but documentation is either outdated or incomplete on this point. It would be great if Google clarified which hosts need to be included for connect-src in particular, since it seems unavoidable if we want a strict CSP setup. For now, I’m testing with broader allowances (like adding https://www.google.com and https://www.gstatic.com under connect-src), but I’d prefer a definitive list rather than trial and error.
If you or anyone else here finds an authoritative resource or exact domains required for reCAPTCHA’s connect-src, I’d really appreciate it — because I’m facing the same headache right now.
Is there anyone who can help me? Thanks!
That is correct, the docs should also list
The GCP version of the docs do include this entry: https://cloud.google.com/recaptcha/docs/faq#csp-configuration
We will update the other docs page accordingly.
