Due to changes in modern browser XSS (Cross-site scripting) protection, applying Application Control enforcement for Google applications within Umbrella DNS policy will result in Google ReCAPTCHA images failing to load.
- A recent version of Google Chrome or Microsoft Edge browser is in use
- The Umbrella DNS policy has the Intelligent Proxy feature enabled
- The Umbrella DNS policy contains Application Control enforcement for Google applications (for example, Google Drive)
In this scenario, sites that utilise Google ReCAPTCHA when logging in will fail to display the images correctly and look similar to the below:
This behaviour only applies to DNS policies. Web policies are unaffected by this behaviour.
Our engineering team are looking into refining the Google Application Identities, with a view to improving compatibility here with Google CAPTCHA.
However, we do not have any committed timelines for this as extensive testing is required to ensure that an acceptable efficacy for identifying Google Application traffic is maintained.
This article will be updated if and when more information is available
Previous workarounds for similar symptoms, related to adding sites to Allow Lists, no longer work due to the changes in modern browser XSS protection.
Therefore the options available now are:
- Customers with a SIG subscription can enforce Google Application controls via Web Policy rather than DNS Policy.
- DNS only customers can remove the Google applications from Application Control within the DNS policy to restore Google CAPTCHA functionality. However, please note this will result in the Google applications in question being allowed for end users that the modified policy applies to.