Resolve Google ReCAPTCHA Image Load Failure

Introduction

This document describes a solution for Google ReCAPTCHA images that fail to load correctly.

Problem

Due to changes in modern browser XSS (Cross-site scripting) protection, applying Application Control enforcement for Google applications within Umbrella DNS policy results in Google ReCAPTCHA images failing to load.

Scenario

• A recent version of Google Chrome or Microsoft Edge browser is in use.
• The Umbrella DNS policy has the Intelligent Proxy feature enabled.
• The Umbrella DNS policy contains Application Control enforcement for Google applications (for example, Google Drive).

In this scenario, sites that utilise Google ReCAPTCHA when logging in can fail to display the images correctly and look similar to this example:

4416192916756

Note: This behaviour only applies to DNS policies. Web policies are unaffected by this behaviour.

Current Status

Our engineering team are looking into refining the Google Application Identities, with a view to improving compatibility here with Google CAPTCHA.

However, we do not have any committed timelines for this as extensive testing is required to ensure that an acceptable efficacy for identifying Google Application traffic is maintained.

This article is updated when more information is available.

Solution

Previous workarounds for similar symptoms, related to adding sites to Allow Lists, no longer work due to the changes in modern browser XSS protection.

The options available are:

• Customers with a SIG subscription can enforce Google Application controls via Web Policy rather than DNS Policy.
• DNS only customers can remove the Google applications from Application Control within the DNS policy to restore Google CAPTCHA functionality. However, please note this results in the Google applications in question being allowed for end users that the modified policy applies to.