Page MenuHomePhabricator
Create Task
Maniphest T404251

hCaptcha: Enable version pinning and subresource integrity
Closed, ResolvedPublic
Actions

Description

Summary

hCaptcha's secure enclave mode supports pinning a specific version of the secure-api.js script, for which we can also use subresource integrity for verification.

Background

T403829: hCaptcha: Self-host secure-api.js code needs more time to work out how to accommodate loading the secure-api.js in ConfirmEdit and on Wikimedia hosting. In the meantime, we'll benefit from pinning the version of the secure-api.js script and ensuring that it's contents do not change from our expectations by setting the integrity parameter on the script element.

Acceptance criteria

  • ConfirmEdit/hCaptcha supports specifying the integrity field for the script element of the secure-api.js script
  • Wikimedia's deployment of hCaptcha has veresion pinning and subresource integrity enabled for secure-api.js

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: Set wgHCaptchaApiUrlIntegrityHash and pin secure-api.js versionoperations/mediawiki-configmaster+4 -1
hCaptcha: Enable version pinning and subresource integritymediawiki/extensions/ConfirmEditwmf/1.45.0-wmf.19+11 -2
hCaptcha: Enable version pinning and subresource integritymediawiki/extensions/ConfirmEditwmf/1.45.0-wmf.18+11 -2
hCaptcha: Enable version pinning and subresource integritymediawiki/extensions/ConfirmEditmaster+11 -2
P:hcaptcha: Adjust regex matchoperations/puppetproduction+1 -1
hCaptcha: Special handling for hcaptcha-secure-api.js requestsoperations/puppetproduction+33 -0
P:hcaptcha: add temporary redirectoperations/puppetproduction+40 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedkostajhT402366 hCaptcha account creation trial deployment tracker
Restricted Task
Restricted Task
 ResolvedkostajhT404251 hCaptcha: Enable version pinning and subresource integrity

Event Timeline

kostajh created this task.Sep 10 2025, 7:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 10 2025, 7:03 PM
gerritbot added a comment.Sep 10 2025, 7:05 PM

Change #1187073 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Allow usage of subresource integrity

https://gerrit.wikimedia.org/r/1187073

gerritbot added a project: Patch-For-Review.Sep 10 2025, 7:05 PM
gerritbot added a comment.Sep 10 2025, 7:15 PM

Change #1187079 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/mediawiki-config@master] hCaptcha: Set wgHCaptchaApiUrlIntegrityHash and pin secure-api.js version

https://gerrit.wikimedia.org/r/1187079

kostajh claimed this task.Sep 10 2025, 7:59 PM
gerritbot added a comment.Sep 11 2025, 1:29 PM

Change #1187439 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/puppet@production] hCaptcha: Special handling for hcaptcha-secure-api.js requests

https://gerrit.wikimedia.org/r/1187439

kostajh added a parent task: Restricted Task.Sep 11 2025, 6:23 PM
gerritbot added a comment.Sep 15 2025, 3:21 PM

Change #1188380 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] P:hcaptcha: add temporary redirect

https://gerrit.wikimedia.org/r/1188380

kostajh moved this task from Backlog to In progress on the Bot detection and mitigation (WE4.2 hCaptcha account creation trial) board.Sep 16 2025, 7:44 AM
gerritbot added a comment.Sep 16 2025, 10:04 AM

Change #1188380 merged by Effie Mouzeli:

[operations/puppet@production] P:hcaptcha: add temporary redirect

https://gerrit.wikimedia.org/r/1188380

gerritbot added a comment.Sep 16 2025, 11:39 AM

Change #1188750 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/puppet@production] P:hcaptcha: Adjust regex match

https://gerrit.wikimedia.org/r/1188750

gerritbot added a comment.Sep 16 2025, 12:00 PM

Change #1187439 abandoned by Kosta Harlan:

[operations/puppet@production] hCaptcha: Special handling for hcaptcha-secure-api.js requests

Reason:

Done via Ida1fa98e0cf8aee2922edc2186a423c02bd3246f

https://gerrit.wikimedia.org/r/1187439

gerritbot added a comment.Sep 16 2025, 12:56 PM

Change #1188750 merged by Effie Mouzeli:

[operations/puppet@production] P:hcaptcha: Adjust regex match

https://gerrit.wikimedia.org/r/1188750

gerritbot added a comment.Sep 16 2025, 3:34 PM

Change #1188823 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@wmf/1.45.0-wmf.18] hCaptcha: Enable version pinning and subresource integrity

https://gerrit.wikimedia.org/r/1188823

gerritbot added a comment.Sep 16 2025, 3:34 PM

Change #1188824 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@wmf/1.45.0-wmf.19] hCaptcha: Enable version pinning and subresource integrity

https://gerrit.wikimedia.org/r/1188824

gerritbot added a comment.Sep 16 2025, 3:59 PM

Change #1187073 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Enable version pinning and subresource integrity

https://gerrit.wikimedia.org/r/1187073

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.20; 2025-09-23).Sep 16 2025, 4:01 PM
gerritbot added a comment.Sep 16 2025, 8:36 PM

Change #1188823 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.45.0-wmf.18] hCaptcha: Enable version pinning and subresource integrity

https://gerrit.wikimedia.org/r/1188823

gerritbot added a comment.Sep 16 2025, 8:36 PM

Change #1188824 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.45.0-wmf.19] hCaptcha: Enable version pinning and subresource integrity

https://gerrit.wikimedia.org/r/1188824

Stashbot added a comment.Sep 16 2025, 8:36 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-16T20:36:32Z] <kharlan@deploy1003> Started scap sync-world: Backport for [[gerrit:1188823|hCaptcha: Enable version pinning and subresource integrity (T404251)]], [[gerrit:1188824|hCaptcha: Enable version pinning and subresource integrity (T404251)]]

Stashbot added a comment.Sep 16 2025, 8:42 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-16T20:42:29Z] <kharlan@deploy1003> kharlan: Backport for [[gerrit:1188823|hCaptcha: Enable version pinning and subresource integrity (T404251)]], [[gerrit:1188824|hCaptcha: Enable version pinning and subresource integrity (T404251)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Sep 16 2025, 8:49 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-16T20:49:03Z] <kharlan@deploy1003> Finished scap sync-world: Backport for [[gerrit:1188823|hCaptcha: Enable version pinning and subresource integrity (T404251)]], [[gerrit:1188824|hCaptcha: Enable version pinning and subresource integrity (T404251)]] (duration: 12m 31s)

gerritbot added a comment.Sep 16 2025, 8:52 PM

Change #1187079 merged by jenkins-bot:

[operations/mediawiki-config@master] hCaptcha: Set wgHCaptchaApiUrlIntegrityHash and pin secure-api.js version

https://gerrit.wikimedia.org/r/1187079

Stashbot added a comment.Sep 16 2025, 8:52 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-16T20:52:52Z] <kharlan@deploy1003> Started scap sync-world: Backport for [[gerrit:1187079|hCaptcha: Set wgHCaptchaApiUrlIntegrityHash and pin secure-api.js version (T404251)]]

Stashbot added a comment.Sep 16 2025, 8:58 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-16T20:58:45Z] <kharlan@deploy1003> kharlan: Backport for [[gerrit:1187079|hCaptcha: Set wgHCaptchaApiUrlIntegrityHash and pin secure-api.js version (T404251)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.18; 2025-09-09); removed MW-1.45-notes (1.45.0-wmf.20; 2025-09-23).Sep 16 2025, 9:00 PM
kostajh updated the task description. (Show Details)Sep 16 2025, 9:05 PM
Stashbot added a comment.Sep 16 2025, 9:06 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-16T21:06:35Z] <kharlan@deploy1003> Finished scap sync-world: Backport for [[gerrit:1187079|hCaptcha: Set wgHCaptchaApiUrlIntegrityHash and pin secure-api.js version (T404251)]] (duration: 13m 42s)

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2025, 9:30 PM
kostajh closed this task as Resolved.Sep 18 2025, 6:22 AM
kostajh mentioned this in T403829: hCaptcha: Self-host secure-api.js code.
kostajh added a project: Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)).
Dreamy_Jazz moved this task from Priority Backlog to Done on the Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)) board.Sep 19 2025, 3:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits