Page MenuHomePhabricator
Create Task
Maniphest T388902

Make hCaptcha proxy URL compatible with MediaWiki CSP
Closed, ResolvedPublic
Actions

Description

This is to avoid reporting of many errors on the CSP audit logs, but it should still work anyway

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
HCaptcha: Fix getCSPUrls()mediawiki/extensions/ConfirmEditREL1_44+1 -1
hCaptcha: Variable-ise CSP URLsmediawiki/extensions/ConfirmEditREL1_44+8 -1
HCaptcha: Fix getCSPUrls()mediawiki/extensions/ConfirmEditmaster+1 -1
hCaptcha: Variable-ise CSP URLsmediawiki/extensions/ConfirmEditmaster+8 -1
hCaptcha: Add config to disable loading of hCaptcha CSP rulesmediawiki/extensions/ConfirmEditmaster+8 -0
Customize query in gerrit

Related Objects

Event Timeline

acooper created this task.Mar 14 2025, 4:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2025, 4:11 PM
Reedy renamed this task from Make hCaptcha proxy URL compatible with Mediawiki CSP to Make hCaptcha proxy URL compatible with MediaWiki CSP.EditedMar 24 2025, 12:12 PM

Probably a config flag as to whether to set CSP headers.

And/or a $wg of values to be set, to allow them to be customised...

Reedy moved this task from Backlog to In progress on the Bot detection and mitigation (WE4.2 hCaptcha account creation trial) board.Apr 14 2025, 11:19 AM
gerritbot added a comment.Apr 14 2025, 11:20 AM

Change #1136349 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Add config to disable loading of hCaptcha CSP rules

https://gerrit.wikimedia.org/r/1136349

gerritbot added a project: Patch-For-Review.Apr 14 2025, 11:20 AM
Reedy added a comment.Apr 14 2025, 11:22 AM

^ Patch stops the adding of hcaptcha.com and *.hcaptcha.com to requests.

TBC if we need to add custom CSP rules for our proxy (maybe? maybe not). We may need/want to move the hard coded [ 'https://hcaptcha.com', 'https://*.hcaptcha.com' ] into a $wg to allow customisation too...

	/** @inheritDoc */
	public static function getCSPUrls() {
		return [ 'https://hcaptcha.com', 'https://*.hcaptcha.com' ];
	}

	/**
	 * Adds the CSP policies that are necessary for the captcha module to work in a CSP enforced
	 * setup.
	 *
	 * @param ContentSecurityPolicy $csp The CSP instance to add the policies to, this is usually to be
	 * obtained from {@link OutputPage::getCSP()}
	 */
	public static function addCSPSources( ContentSecurityPolicy $csp ) {
		foreach ( static::getCSPUrls() as $src ) {
			// Since frame-src is not supported
			$csp->addDefaultSrc( $src );
			$csp->addScriptSrc( $src );
			$csp->addStyleSrc( $src );
		}
	}
Reedy added a comment.Apr 14 2025, 11:25 AM

^ The above is explicitly called in HTMLHCaptchaField (VE?), but I'm not 100% sure if they get called through the normal flow for other actions...

gerritbot added a comment.May 8 2025, 3:49 PM

Change #1143604 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Variable-ise CSP URLs

https://gerrit.wikimedia.org/r/1143604

gerritbot added a comment.May 13 2025, 3:38 PM

Change #1143604 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Variable-ise CSP URLs

https://gerrit.wikimedia.org/r/1143604

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 13 2025, 4:00 PM
gerritbot added a comment.May 13 2025, 4:01 PM

Change #1136349 abandoned by Reedy:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Add config to disable loading of hCaptcha CSP rules

Reason:

In favour of https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1143604

https://gerrit.wikimedia.org/r/1136349

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 4:30 PM
Reedy closed this task as Resolved.May 13 2025, 5:01 PM
gerritbot added a comment.Jun 19 2025, 12:03 PM

Change #1161486 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/ConfirmEdit@master] HCaptcha: Fix getCSPUrls()

https://gerrit.wikimedia.org/r/1161486

gerritbot added a project: Patch-For-Review.Jun 19 2025, 12:03 PM
gerritbot added a comment.Jun 20 2025, 8:55 AM

Change #1161486 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] HCaptcha: Fix getCSPUrls()

https://gerrit.wikimedia.org/r/1161486

ReleaseTaggerBot edited projects, added: MW-1.45-notes (1.45.0-wmf.7; 2025-06-24); removed: MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).Jun 20 2025, 9:00 AM
Maintenance_bot removed a project: Patch-For-Review.Jun 20 2025, 9:32 AM
gerritbot added a comment.Jun 23 2025, 9:14 PM

Change #1163034 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/ConfirmEdit@REL1_44] hCaptcha: Variable-ise CSP URLs

https://gerrit.wikimedia.org/r/1163034

gerritbot added a project: Patch-For-Review.Jun 23 2025, 9:14 PM

Change #1163035 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/ConfirmEdit@REL1_44] HCaptcha: Fix getCSPUrls()

https://gerrit.wikimedia.org/r/1163035

gerritbot added a comment.Jun 23 2025, 9:26 PM

Change #1163034 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@REL1_44] hCaptcha: Variable-ise CSP URLs

https://gerrit.wikimedia.org/r/1163034

gerritbot added a comment.Jun 23 2025, 10:31 PM

Change #1163035 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@REL1_44] HCaptcha: Fix getCSPUrls()

https://gerrit.wikimedia.org/r/1163035

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2025, 11:30 PM
TzrZzz mentioned this in T423039: [hCaptcha] CORS error on jawiki/enwiki Special:CreateAccount (fails to load secure-api.js), but works on mediawikiwiki.Apr 12 2026, 3:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits