Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
Moderator: trava90
Forum rules
Please always mention the name/domain of the website in question in your topic title.
Please one website per topic thread (to help keep things organized). While behavior on different sites might at first glance seem similar, they are not necessarily caused by the same.
Please try to include any relevant output from the Toolkit Error Console or the Developer Tools Web Console using the following procedure:
Please always mention the name/domain of the website in question in your topic title.
Please one website per topic thread (to help keep things organized). While behavior on different sites might at first glance seem similar, they are not necessarily caused by the same.
Please try to include any relevant output from the Toolkit Error Console or the Developer Tools Web Console using the following procedure:
- Clear any current output
- Navigate or refresh the page in question
- Copy and paste Errors or seemingly relevant Warnings into a single [ code ] block.
Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
Hello,
I am contacting you on behalf of ProtonMail - the secure email provider (www.protonmail.com).
We have received multiple reports where people who wish to create a ProtonMail account using the PaleMoon browser are unable to do so. The CAPTCHA challenge does not appear as the loading animation keeps spinning. We have successfully reproduced this behavior and it only happens when using the PaleMoon browser.
Steps to reproduce:
-Go to protonmail.com
-Click on the Sign Up button
-Open and select the Free Plan
-Fill in the necessary information
-Click Create account
-In the next verification step, the CAPTCHA option won't load
Screenshot of the behavior: The same happens on our beta version (beta.protonmail.com) We suspect that nonce processing is not working as it should.
Any help regarding this problem would be much appreciated and thank you for your time.
Best Regards,
The ProtonMail team.
I am contacting you on behalf of ProtonMail - the secure email provider (www.protonmail.com).
We have received multiple reports where people who wish to create a ProtonMail account using the PaleMoon browser are unable to do so. The CAPTCHA challenge does not appear as the loading animation keeps spinning. We have successfully reproduced this behavior and it only happens when using the PaleMoon browser.
Steps to reproduce:
-Go to protonmail.com
-Click on the Sign Up button
-Open and select the Free Plan
-Fill in the necessary information
-Click Create account
-In the next verification step, the CAPTCHA option won't load
Screenshot of the behavior: The same happens on our beta version (beta.protonmail.com) We suspect that nonce processing is not working as it should.
Any help regarding this problem would be much appreciated and thank you for your time.
Best Regards,
The ProtonMail team.
You do not have the required permissions to view the files attached to this post.
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
I investigated and the problem seems to be that the iframe you are loading has script tags in both the head and the body; only the script block in the body has a nonce. The script in the head is blocked as a result of your CSP since
is not allowed by CSP
In addition the body script nonce seems to be a mismatch? The nonce given in the body script tag is
Code: Select all
src="https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit"
Code: Select all
“script-src https://mail-api.protonmail.com 'unsafe-eval' 'nonce-YHrGr+xFAEGutbsQYgbr/AAAAG0'”
Code: Select all
YHrHfb1icF1AqbrbEYLRKwAAANk
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
The page creates the script tag with https://www.google.com/recaptcha/api.js ... r=explicit and sets the nonce attribute on the script tag with the nonce value returned by the CSP policy before injecting it into the head.
No the google.com recaptcha script is not allowed according to the script-src directive, but the nonce is.
In addition, I don't see the mismatch you are mentioning.
You can reproduce this by opening:
https://mail-api.protonmail.com/core/v4 ... ken=signup
Let me know if you need anything else!
No the google.com recaptcha script is not allowed according to the script-src directive, but the nonce is.
In addition, I don't see the mismatch you are mentioning.
You can reproduce this by opening:
https://mail-api.protonmail.com/core/v4 ... ken=signup
Let me know if you need anything else!
You do not have the required permissions to view the files attached to this post.
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
Here's the CSP of the request:
Here's the console output.
Only the BODY script has a nonce and is inline:
(and yes there is no mismatch there in the nonce, i'm not sure why I saw one when I investigated last time)
but the blocked script (mentioned in the console) is in the HEAD and that script does not have a nonce.
I'm assuming that script is necessary for the CAPTCHA to be drawn. It is blocked by the policy you have on that page.
Code: Select all
default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'; style-src 'self' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'; frame-src https://www.google.com/recaptcha/; report-uri https://reports.protonmail.ch/reports/csp;
Code: Select all
17:46:34.702 Content Security Policy: The page’s settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit (“script-src https://mail-api.protonmail.com 'unsafe-eval' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'”). 1 (unknown)
Code: Select all
<script nonce="YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ">
...
</script>
but the blocked script (mentioned in the console) is in the HEAD and that script does not have a nonce.
Code: Select all
<script type="text/javascript" src="https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit"></script>
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
Please take a look at the screenshot I included. I have highlighted the script tag in the head and show the nonce attribute of it. You can clearly see it is the same as the script tag in the body.
Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
Nonce attributes set like this are hidden (in case you are wondering why you don't see it in clear-text https://github.com/whatwg/html/issues/2369)
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.
Oh, I see. So you're (or rather Google is..? I guess their UA sniffing discrimination in recaptcha wasn't good enough) using a Chrome experiment-pushed-spec to hide nonces (squirrelling them away in DOM node properties instead of element/DOM attributes) that are in fact pointless to hide in the first place.
EDIT: I did notice one issue with our implementation that may cause this practical problem; Mozilla devs forgot to add the IDL interface entries for nonces when adding them to CSP as DOM attributes which means they would not be accessible everywhere; yet another half-implementation we inherited. I'm thinking that would at least allow this captcha to succeed if added.
EDIT: I did notice one issue with our implementation that may cause this practical problem; Mozilla devs forgot to add the IDL interface entries for nonces when adding them to CSP as DOM attributes which means they would not be accessible everywhere; yet another half-implementation we inherited. I'm thinking that would at least allow this captcha to succeed if added.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite