Page MenuHomePhabricator
Create Task
Maniphest T403829

hCaptcha: Self-host secure-api.js code
Open, Stalled, Needs TriagePublic
Actions

Description

Summary

The contents of secure-api.js can be self-hosted. We should consider doing this for improved auditability, especially if/when the contents change.

Specification

secure-api.js should be loaded from a versioned repository. The endpoint, assethost, and other query parameters should continue to be set to values that use the proxy.

Technical notes

TBD

Acceptance criteria

  • secure-api.js is stored in a publicly versioned repository
  • secure-api.js is loaded directly or indirectly via the publicly versioned repository
  • After loading our self-hosted secure-api.js, requests to hCaptcha from the client continue to route through the proxy

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: Use ResourceLoader for locally-hosted secure-api.jsmediawiki/extensions/ConfirmEditmaster+20 -9
Customize query in gerrit

Related Objects

Event Timeline

kostajh created this task.Sep 5 2025, 2:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2025, 2:28 PM
EMill-WMF subscribed.Sep 5 2025, 2:37 PM

To be clear, the main goal here is to remove the risk of unexpected changes (including compromise) of the part of the JavaScript that necessarily has access to the parent document context before establishing the iframes that the rest of the code is then loaded into.

We should consider doing this for improved auditability, especially if/when the contents change.

The auditability benefit here is when compared to the other ways we might address this risk (inlining the JS inside our other existing files, or using Subresource Integrity to protect the code from a 3P origin).

kostajh updated the task description. (Show Details)Sep 7 2025, 12:07 PM
kostajh updated the task description. (Show Details)
gerritbot added a comment.Sep 7 2025, 2:53 PM

Change #1185314 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@master] WIP: Use ResourceLoader for secure-api.js

https://gerrit.wikimedia.org/r/1185314

gerritbot added a project: Patch-For-Review.Sep 7 2025, 2:53 PM
kostajh claimed this task.Sep 7 2025, 7:24 PM
kostajh added a project: Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)).
kostajh mentioned this in T378188: Implement secure enclave mode for hCaptcha.Sep 7 2025, 7:26 PM
kostajh mentioned this in T404251: hCaptcha: Enable version pinning and subresource integrity.Sep 10 2025, 7:03 PM
kostajh mentioned this in T404204: Investigate options for automatic fallback to FancyCAPTCHA.Sep 12 2025, 8:23 AM
Reedy moved this task from Backlog to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.Sep 12 2025, 4:42 PM
kostajh moved this task from Backlog to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha account creation trial) board.Sep 16 2025, 7:47 AM
jijiki subscribed.EditedSep 16 2025, 7:53 AM

For licensing reasons, as discussed in 1185314 (and to my knowledge as well), we are unable to host any proprietary code to our repos. I am afraid, same principle applies to our puppet repo as well.

kostajh removed projects: Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)), WE4.2 Bot detection (WE4.2 hCaptcha account creation trial).Sep 18 2025, 6:22 AM

We don't have a clear path forwards on this right now. T404251: hCaptcha: Enable version pinning and subresource integrity is implemented, however.

gerritbot added a comment.Sep 18 2025, 11:51 AM

Change #1185314 abandoned by Kosta Harlan:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Use ResourceLoader for locally-hosted secure-api.js

Reason:

Abandoning this for now

https://gerrit.wikimedia.org/r/1185314

Maintenance_bot removed a project: Patch-For-Review.Sep 18 2025, 12:30 PM
kostajh changed the task status from Open to Stalled.Sep 25 2025, 1:41 PM
kostajh removed kostajh as the assignee of this task.
kostajh mentioned this in T418477: Improve resilience of hCaptcha API URL loading to transient network issues.Thu, Feb 26, 1:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits