Page MenuHomePhabricator
Create Task
Maniphest T407344

hCaptcha: Add support for hCaptcha in the MobileFrontend editor
Closed, ResolvedPublic10 Estimated Story Points
Actions

Description

Summary

  • MobileFrontend uses the API to edit
  • When an edit is made using the MobileFrontend, the edit should be prevented unless the user solves an hCaptcha challenge

Acceptance criteria

  • An hCaptcha captcha challenge is triggered when the user edits a page using the mobile frontend
  • When the challenge is shown, the edit is not made unless the user correctly solves it
  • The captcha challenge should be shown in the same screen used for providing the edit summary (instead of having an additional step as it happens for other captcha types)
  • If the user clicks outside the popup that contains the captcha, it goes back to the form that prompts for the edit summary; trying to submit the edit again will show the captcha again

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: Support hCaptcha when using MobileFrontendmediawiki/extensions/ConfirmEditmaster+1 K -66
editor: Add hooks required for supporting hCaptcha on editsmediawiki/extensions/MobileFrontendmaster+289 -1
editor: Add support for hCaptchamediawiki/extensions/MobileFrontendmaster+136 -4
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 In Progresshector.arroyoT407339 hCaptcha: Implement hCaptcha on edits made through the MobileFrontend
 Resolvedhector.arroyoT407344 hCaptcha: Add support for hCaptcha in the MobileFrontend editor
 ResolvedDreamy_JazzT407377 hCaptcha: Create front-end JS configuration variable that indicates whether an edit to the given page would require hCaptcha completion
 ResolvedDreamy_JazzT407390 VisualEditor: Create a service to determine if a given page has VisualEditor available
 Declinedhector.arroyoT407428 MobileFrontend: Make it possible to read the value of wgMFIsSupportedEditRequest in PHP
 Resolvedhector.arroyoT407369 hCaptcha: Allow ext.confirmEdit.hCaptcha/secureEnclave.js to work when there is no form (API edits)
 Resolvedhector.arroyoT419230 hCaptcha: Move handling of ErrorWidget and ProgressIndicatorWidget to utils.js
 Resolvedhector.arroyoT419128 hCaptcha: Decouple createHCaptchaScriptTag & loadHCaptcha from the global document object
 Resolvedhector.arroyoT419126 hCaptcha: Refactor reusable code from secureEnclave.js into utils.js
 Resolvedhector.arroyoT419966 hCaptcha: Add required hooks to the MobileFrontend for supporting hCaptcha on edits
 Resolvedhector.arroyoT420574 hcaptcha: Make edits coming from the MobileFrontend use the sitekey for edits
 ResolvedMPostoronca-WMFT420903 hCaptcha: Edits on mobile which trigger addurl or AbuseFilter are failing to publish
 Resolvedhector.arroyoT423296 MobileFrontend source editor: hCaptcha privacy policy displayed unstyled

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 15 2025, 11:29 AM
hector.arroyo claimed this task.Oct 15 2025, 11:29 AM
hector.arroyo added a parent task: T407339: hCaptcha: Implement hCaptcha on edits made through the MobileFrontend.
hector.arroyo set the point value for this task to 1.
kostajh moved this task from Priority backlog to In progress on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 15 2025, 11:48 AM
hector.arroyo renamed this task from hCaptcha: Add support for hCaptcha in the MoileFrontend to hCaptcha: Add support for hCaptcha in the MoileFrontend editor.Oct 15 2025, 2:18 PM
hector.arroyo added a project: MobileFrontend.
hector.arroyo moved this task from Untriaged to MobileFrontend (Editor) on the MobileFrontend board.
hector.arroyo edited projects, added: MobileFrontend (MobileFrontend (Editor)); removed: MobileFrontend.
hector.arroyo moved this task from Backlog to Triaged on the MobileFrontend (MobileFrontend (Editor)) board.
hector.arroyo renamed this task from hCaptcha: Add support for hCaptcha in the MoileFrontend editor to hCaptcha: Add support for hCaptcha in the MobileFrontend editor.Oct 15 2025, 2:21 PM
Dreamy_Jazz added a subtask: T407377: hCaptcha: Create front-end JS configuration variable that indicates whether an edit to the given page would require hCaptcha completion.Oct 15 2025, 3:01 PM
hector.arroyo moved this task from Backlog to In progress on the Bot detection and mitigation (WE4.2 hCaptcha editing trial) board.Oct 16 2025, 1:45 PM
hector.arroyo changed the task status from Open to Stalled.Oct 17 2025, 9:45 AM
gerritbot added a comment.Oct 17 2025, 11:35 AM

Change #1196889 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/MobileFrontend@master] WiP Currently not working, requires previous patches to be merged

https://gerrit.wikimedia.org/r/1196889

gerritbot added a project: Patch-For-Review.Oct 17 2025, 11:36 AM
hector.arroyo added a comment.EditedOct 17 2025, 11:42 AM

It is getting really confusing to work on this feature without having the previous patches merged first

Dreamy_Jazz added a project: OKR-Work.Oct 17 2025, 1:38 PM
OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)); removed: Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)).Oct 20 2025, 2:29 PM
OKryva-WMF moved this task from Backlog to In progress on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Oct 20 2025, 2:29 PM
hector.arroyo added a comment.Oct 21 2025, 3:25 PM

The current solution has just been downvoted by the Editing team, raising the estination for this task.

hector.arroyo changed the point value for this task from 1 to 6.Oct 21 2025, 3:25 PM
Dreamy_Jazz closed subtask T407377: hCaptcha: Create front-end JS configuration variable that indicates whether an edit to the given page would require hCaptcha completion as Resolved.Oct 21 2025, 6:05 PM
gerritbot added a comment.Oct 24 2025, 2:34 PM

Change #1198289 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/MobileFrontend@master] editor: Add hooks required for supporting hCaptcha on edits

https://gerrit.wikimedia.org/r/1198289

hector.arroyo added a comment.EditedOct 24 2025, 3:37 PM

The solution has been reworked.

hector.arroyo changed the point value for this task from 6 to 10.Oct 24 2025, 3:37 PM
gerritbot added a comment.Oct 24 2025, 3:40 PM

Change #1196056 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Support hCaptcha when using the MobileFrontend

https://gerrit.wikimedia.org/r/1196056

hector.arroyo changed the task status from Stalled to In Progress.Oct 28 2025, 4:40 PM
hector.arroyo added a comment.Oct 28 2025, 5:28 PM

There's a change pending to be done in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1196056 to make the popup with the challenge close when the user clicks outside it.

I'm updating the ACs to reflect this.

hector.arroyo updated the task description. (Show Details)Oct 28 2025, 5:34 PM
hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Oct 29 2025, 10:38 AM
gerritbot added a comment.Oct 29 2025, 4:12 PM

Change #1196889 abandoned by Harroyo-wmf:

[mediawiki/extensions/MobileFrontend@master] editor: Add support for hCaptcha

Reason:

Superseded by I09fa5d5d00755425b1ac3e56d9714a56333ffef6

https://gerrit.wikimedia.org/r/1196889

kostajh moved this task from In progress to On hold on the Bot detection and mitigation (WE4.2 hCaptcha editing trial) board.Nov 4 2025, 12:55 PM
kostajh moved this task from Needs review to Backlog on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Nov 5 2025, 12:52 PM
hector.arroyo edited projects, added: Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)); removed: Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)).Feb 20 2026, 1:14 PM
hector.arroyo moved this task from On hold to Ready on the Bot detection and mitigation (WE4.2 hCaptcha editing trial) board.
hector.arroyo moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)) board.Feb 20 2026, 1:17 PM
hector.arroyo moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)) board.Feb 20 2026, 2:41 PM
hector.arroyo moved this task from Ready to In progress on the Bot detection and mitigation (WE4.2 hCaptcha editing trial) board.Feb 24 2026, 10:28 AM
hector.arroyo added a comment.Feb 25 2026, 3:25 PM
In T407344#11320319, @hector.arroyo wrote:

There's a change pending to be done in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1196056 to make the popup with the challenge close when the user clicks outside it.

I'm updating the ACs to reflect this.

This was already fixed back in the day, and I verified it still works as expected after rebasing the old patches on top of the master branches.

hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)) board.Feb 25 2026, 3:26 PM
OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)); removed: Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)).Mar 2 2026, 4:19 PM
OKryva-WMF moved this task from Backlog to In progress on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 2 2026, 4:19 PM
OKryva-WMF moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.
hector.arroyo added a comment.Mar 4 2026, 5:45 PM

The patch at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1196056 has been updated after adressing a first batch of review comments (shared privately), and is now ready to be reviewed again.

hector.arroyo mentioned this in T407623: hCaptcha: Split secureEnclave.js in two files (mobile vs non-mobile interface).Mar 5 2026, 10:16 AM
hector.arroyo moved this task from Needs review to In progress on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 6 2026, 10:07 AM

Moving back to In Progress since the topmost patch in ConfirmEdit https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1196056 needs to be rebased after moving some of its functionality into smaller patches uder separate subtasks

hector.arroyo added a subtask: T407369: hCaptcha: Allow ext.confirmEdit.hCaptcha/secureEnclave.js to work when there is no form (API edits).Mar 6 2026, 11:55 AM
hector.arroyo added a subtask: T419230: hCaptcha: Move handling of ErrorWidget and ProgressIndicatorWidget to utils.js.Mar 6 2026, 12:27 PM
hector.arroyo changed the status of subtask T419230: hCaptcha: Move handling of ErrorWidget and ProgressIndicatorWidget to utils.js from Open to In Progress.Mar 6 2026, 12:32 PM
hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 10 2026, 12:00 PM
hector.arroyo mentioned this in T419128: hCaptcha: Decouple createHCaptchaScriptTag & loadHCaptcha from the global document object.Mar 11 2026, 2:08 PM
hector.arroyo added a subtask: T419128: hCaptcha: Decouple createHCaptchaScriptTag & loadHCaptcha from the global document object.
hector.arroyo added a subtask: T419126: hCaptcha: Refactor reusable code from secureEnclave.js into utils.js.Mar 13 2026, 10:28 AM
hector.arroyo closed subtask T419126: hCaptcha: Refactor reusable code from secureEnclave.js into utils.js as Resolved.
hector.arroyo mentioned this in T419126: hCaptcha: Refactor reusable code from secureEnclave.js into utils.js.
hector.arroyo closed subtask T419230: hCaptcha: Move handling of ErrorWidget and ProgressIndicatorWidget to utils.js as Resolved.Mar 13 2026, 10:57 AM
hector.arroyo added a subtask: T419966: hCaptcha: Add required hooks to the MobileFrontend for supporting hCaptcha on edits.Mar 13 2026, 11:23 AM
hector.arroyo changed the status of subtask T419966: hCaptcha: Add required hooks to the MobileFrontend for supporting hCaptcha on edits from Open to In Progress.Mar 13 2026, 11:27 AM
hector.arroyo mentioned this in T413354: Decide: Should the hCaptcha challenge appear in a new panel in the publish dialog?.Mar 16 2026, 12:02 PM
gerritbot added a comment.Mar 16 2026, 8:52 PM

Change #1198289 merged by jenkins-bot:

[mediawiki/extensions/MobileFrontend@master] editor: Add hooks required for supporting hCaptcha on edits

https://gerrit.wikimedia.org/r/1198289

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.20; 2026-03-17).Mar 16 2026, 9:00 PM
hector.arroyo closed subtask T419966: hCaptcha: Add required hooks to the MobileFrontend for supporting hCaptcha on edits as Resolved.Mar 16 2026, 9:01 PM
hector.arroyo mentioned this in T419966: hCaptcha: Add required hooks to the MobileFrontend for supporting hCaptcha on edits.
gerritbot added a comment.Mar 16 2026, 11:01 PM

Change #1196056 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Support hCaptcha when using MobileFrontend

https://gerrit.wikimedia.org/r/1196056

Maintenance_bot removed a project: Patch-For-Review.Mar 16 2026, 11:31 PM
OKryva-WMF moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 17 2026, 12:51 PM
hector.arroyo closed subtask T407369: hCaptcha: Allow ext.confirmEdit.hCaptcha/secureEnclave.js to work when there is no form (API edits) as Resolved.Mar 18 2026, 2:00 PM
gerritbot added a comment.Mar 19 2026, 12:01 PM

Change #1255691 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Use the global edit sitekey for MobileFrontend edits if available

https://gerrit.wikimedia.org/r/1255691

gerritbot added a project: Patch-For-Review.Mar 19 2026, 12:01 PM
hector.arroyo moved this task from Needs QA to Needs review on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 19 2026, 12:19 PM

Submitted an additional patch to fix how keys are handled by the MobileFrontend integration when each action is configured to use a different key: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1255691

hector.arroyo added a subtask: T420574: hcaptcha: Make edits coming from the MobileFrontend use the sitekey for edits.Mar 19 2026, 12:25 PM
hector.arroyo moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 19 2026, 5:25 PM

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1255691 was merged and will be deployed to testwiki later today.

hector.arroyo changed the task status from In Progress to Stalled.Mar 19 2026, 5:32 PM

QA can't proceed until the the fix T420574: hcaptcha: Make edits coming from the MobileFrontend use the sitekey for edits is deployed and it is verified that it works.

hector.arroyo changed the task status from Stalled to In Progress.Mar 23 2026, 9:12 AM
hector.arroyo closed subtask T420574: hcaptcha: Make edits coming from the MobileFrontend use the sitekey for edits as Resolved.Mar 23 2026, 9:15 AM

T420574: hcaptcha: Make edits coming from the MobileFrontend use the sitekey for edits was deployed and now edits in testwiki go through without error, so QA for this can proceed.

hector.arroyo added a subtask: T420903: hCaptcha: Edits on mobile which trigger addurl or AbuseFilter are failing to publish.Mar 23 2026, 10:34 AM
OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed: Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)).Mar 23 2026, 3:56 PM
OKryva-WMF moved this task from Backlog to Needs QA on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)); removed: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))).Apr 14 2026, 7:28 AM
OKryva-WMF moved this task from Backlog to QA in Prod on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.Apr 14 2026, 7:28 AM
Dreamy_Jazz removed a project: Patch-For-Review.Apr 14 2026, 8:45 AM
hector.arroyo added a subtask: T423296: MobileFrontend source editor: hCaptcha privacy policy displayed unstyled.Apr 20 2026, 10:54 AM
Dreamy_Jazz closed subtask T423296: MobileFrontend source editor: hCaptcha privacy policy displayed unstyled as Resolved.Apr 30 2026, 10:04 AM
dom_walden moved this task from QA in Prod to Done on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.Apr 30 2026, 10:17 AM
dom_walden subscribed.

This can be moved on as testing has been/is being done elsewhere.

hector.arroyo closed this task as Resolved.Apr 30 2026, 2:38 PM

Closing as per Dom's comment.

hector.arroyo closed subtask T420903: hCaptcha: Edits on mobile which trigger addurl or AbuseFilter are failing to publish as Resolved.May 4 2026, 12:44 PM
hector.arroyo moved this task from In progress to Done on the Bot detection and mitigation (WE4.2 hCaptcha editing trial) board.May 6 2026, 7:40 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits