fix: allow hcaptcha frame

CorySanin · Aug 5, 2024 · 9998756 · 9998756
1 parent 74292d8
commit 9998756
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@
 
 Self-hostable contact form service for Ghost blogs. Or any other applications you can think of. The limit is in your mind.
 
-Add a contact form to your Ghost site without a subscription!
+Add a contact form to your Ghost site without a subscription! Supports captchas from reCAPTCHA and hCaptcha.
 
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/CorySanin/seance/master/assets/images/screenshot_dark.png">
@@ -50,6 +50,10 @@ Seance takes a JSON or JSON5 config file (default location is config/config.json
     recaptchaKey: string,
     // If using reCAPTCHA, provide the site secret
     recaptchaSecret: string,
+    // If using hCaptcha, provide the site key
+    hCaptchaKey: string,
+    // If using hCaptcha, provide the account secret
+    hCaptchaSecret: string,
     // The Nodemailer transport configuration. See https://nodemailer.com/smtp/
     smtp: SMTPTransport | SMTPTransport.Options,
     // The address to send emails from. Defaults to the smtp username

diff --git a/views/index.ejs b/views/index.ejs
@@ -27,7 +27,7 @@
                 <% if (locals.recaptcha) { %>
                 <div class="second-col g-recaptcha" data-sitekey="<%= recaptcha %>" data-theme="<% echo(locals.dark ? 'dark':'light') %>" data-callback="unblockSend"></div>
                 <% } else if (locals.hCaptcha) { %>
-                <div class="h-captcha" data-sitekey="<%= hCaptcha %>" data-theme="<% echo(locals.dark ? 'dark':'light') %>" data-callback="unblockSend"></div>
+                <div class="second-col h-captcha" data-sitekey="<%= hCaptcha %>" data-theme="<% echo(locals.dark ? 'dark':'light') %>" data-callback="unblockSend"></div>
                 <% } %>
                 <div class="second-col"><input id="sendBtn" type="submit" value="Send" <% if (recaptcha) { %>disabled<% } %>></div>
                 <div class="second-col"><%- include("powered-by", locals) %></div>

diff --git a/web.ts b/web.ts
@@ -91,7 +91,7 @@ export default class Web {
                 },
                 function (err, html) {
                     if (!err) {
-                        res.set('Content-Security-Policy', `frame-ancestors 'self' ${allowedHosts}; default-src 'self' https://www.google.com; connect-src 'self' *; script-src 'self' 'nonce-${nonce}'`);
+                        res.set('Content-Security-Policy', `frame-ancestors 'self' ${allowedHosts}; default-src 'self' https://www.google.com https://*.hcaptcha.com; connect-src 'self' *; script-src 'self' 'nonce-${nonce}'`);
                         res.send(html);
                     }
                     else {
@@ -132,7 +132,7 @@ export default class Web {
         const createPageRenderer = (res: express.Response) => {
             return (err: Error, html: string) => {
                 if (!err) {
-                    res.set('Content-Security-Policy', `frame-ancestors 'self' ${allowedHosts}; default-src 'self'; connect-src 'self' *; script-src 'self'`);
+                    res.set('Content-Security-Policy', `frame-ancestors 'self' ${allowedHosts}; default-src 'self'; connect-src 'self' *; script-src 'self';`);
                     res.send(html);
                 }
                 else {