Update

Author: BenjaminMichaelis

EssentialCSharp.Web/Middleware/SecurityHeadersBuilder.cs

@@ -1,4 +1,4 @@
-using System.Globalization;
+using System.Globalization;
 using EssentialCSharp.Web.Middleware.Constants;
 
 namespace EssentialCSharp.Web.Middleware;
@@ -35,8 +35,12 @@ public SecurityHeadersBuilder AddDefaultSecurePolicy()
         AddCustomHeader("X-Permitted-Cross-Domain-Policies", "master-only");
         // <add name="Referrer-Policy" value="no-referrer" />
         AddCustomHeader("Referrer-Policy", "no-referrer");
-        // <add name="Permissions-Policy" value="accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()" />
-        AddCustomHeader("Permissions-Policy", "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()");
+        const string permissionsPolicy =
+            "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), " +
+            "gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), " +
+            "picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), " +
+            "web-share=(), xr-spatial-tracking=()";
+        AddCustomHeader("Permissions-Policy", permissionsPolicy);
 
         // Headers to Remove: https://owasp.org/www-project-secure-headers/ci/headers_remove.json
         RemoveServerHeader();

EssentialCSharp.Web/Views/Shared/_Layout.cshtml

@@ -83,7 +83,7 @@
     </script>
     <script src="~/js/hcaptcha-form.js" asp-append-version="true"></script>
     <!-- hCaptcha Script -->
-    <script src="https://js.hcaptcha.com/1/api.js?onload=ecsOnHcaptchaLoad" async defer></script>
+    <script src="https://js.hcaptcha.com/1/api.js?render=explicit&onload=ecsOnHcaptchaLoad" async defer></script>
     @await RenderSectionAsync("HeadAppend", required: false)
 </head>
 <body>

EssentialCSharp.Web/wwwroot/js/hcaptcha-form.js

@@ -44,6 +44,41 @@ window.EssentialCSharp = window.EssentialCSharp || {};
         return window.jQuery(form).valid();
     }
 
+    function resolveGlobalCallback(callbackName) {
+        if (!callbackName) {
+            return null;
+        }
+
+        const callback = window[callbackName];
+        return typeof callback === 'function' ? callback : null;
+    }
+
+    function renderDeclarativeWidgets() {
+        document.querySelectorAll('.h-captcha[data-sitekey]').forEach(function (element) {
+            if (element.dataset.ecsRendered === 'true') {
+                return;
+            }
+
+            const siteKey = element.dataset.sitekey;
+            if (!siteKey) {
+                return;
+            }
+
+            const options = {
+                sitekey: siteKey,
+                size: element.dataset.size || 'normal'
+            };
+
+            const callback = resolveGlobalCallback(element.dataset.callback);
+            if (callback) {
+                options.callback = callback;
+            }
+
+            window.hcaptcha.render(element, options);
+            element.dataset.ecsRendered = 'true';
+        });
+    }
+
     namespace.whenHcaptchaReady = function (callback) {
         if (isHcaptchaReady()) {
             callback();
@@ -122,6 +157,12 @@ window.EssentialCSharp = window.EssentialCSharp || {};
             });
         });
     };
+
+    onDomReady(function () {
+        namespace.whenHcaptchaReady(function () {
+            renderDeclarativeWidgets();
+        });
+    });
 })(window.EssentialCSharp.HCaptcha = window.EssentialCSharp.HCaptcha || {});
 
 window.ecsOnHcaptchaLoad = function () {