Page MenuHomePhabricator
Create Task
Maniphest T408693

hCaptcha: Clicking "Show preview" and "Show changes" triggers hCaptcha, and then publishes edit
Closed, ResolvedPublicBUG REPORT
Actions

Description

What is the problem?

While editing in the source editor, if I "Show preview" or "Show changes" it will trigger hCaptcha and potentially display a challenge I have to complete. Then, it will not actually show the preview or diff but instead publish the edit.

Steps to reproduce problem
  1. https://test.wikipedia.org/w/index.php?title=Po%C4%8Detna_strana_moved&action=edit
  2. Make sure you are using the WikiEditor/Source Editor
  3. Open the browser network tab
  4. Click either "Show preview" or "Show changes"

Expected behaviour: You shouldn't see any requests to URLs such as https://hcaptcha.wikimedia.org or https://assets-hcaptcha.wikimedia.org. You see the preview or diff as appropriate.
Observed behaviour: You do see those URLs and the edit is published.

Environment

Browser: Firefox 140. Chromium 141.
Wiki(s): https://test.wikipedia.org ConfirmEdit 1.6.0 (rECOE49231fb412f8) 16:36, 28 October 2025.
Editor: WikiEditor 0.5.4 (3cadd00) 07:45, 22 October 2025.

Screenshots

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hcaptcha: Fix secureEnclave testsmediawiki/extensions/ConfirmEditmaster+1 -0
hcaptcha: Don't prevent form submissions unless making an editmediawiki/extensions/ConfirmEditwmf/1.46.0-wmf.2+231 -81
hcaptcha: Don't prevent form submissions unless making an editmediawiki/extensions/ConfirmEditmaster+231 -81
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Oct 29 2025, 2:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 29 2025, 2:12 PM
dom_walden renamed this task from hCaptcha: Clicking "Show preview" and "Show changes" triggers hCaptcha challenge to hCaptcha: Clicking "Show preview" and "Show changes" triggers hCaptcha.Oct 29 2025, 2:12 PM
dom_walden renamed this task from hCaptcha: Clicking "Show preview" and "Show changes" triggers hCaptcha to hCaptcha: Clicking "Show preview" and "Show changes" triggers hCaptcha, and then publishes edit.Oct 29 2025, 4:38 PM
dom_walden updated the task description. (Show Details)
Johannnes89 subscribed.Oct 29 2025, 4:51 PM
dom_walden added a project: WE4.2 Bot detection (WE4.2 hCaptcha editing trial).Oct 30 2025, 1:16 PM
kostajh edited projects, added Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)); removed Product Safety and Integrity.Nov 3 2025, 12:59 PM
hector.arroyo changed the task status from Open to In Progress.Nov 3 2025, 2:27 PM
hector.arroyo claimed this task.
hector.arroyo moved this task from Backlog to In progress on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.
hector.arroyo added a comment.EditedNov 3 2025, 2:47 PM
  • The initial requests (before clicking any button) seem due to preloading (the browser fetches the hCaptcha script as soon as you interact with the form)
  • Clicking on "Show preview" submits the edit
  • The edit is not submitted when the preview in the right panel is refreshed but only when using one of the buttons in the bottom of the page other than "Cancel"
    • This suggests we are binding the hCaptcha challenge to any kind of form submission without actually checking which button was clicked
      • All buttons seem to send the same form, but each has a different name: Likely, the backend uses the button name included in the request to know if the user wants to save the edit vs other actions, and we'd need to follow the same approach when handling hCaptcha in the frontend in order to not trigger an hCaptcha workflow for the latter cases
gerritbot added a comment.Nov 3 2025, 4:30 PM

Change #1201098 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Don't prevent form submissions unless making an edit

https://gerrit.wikimedia.org/r/1201098

gerritbot added a project: Patch-For-Review.Nov 3 2025, 4:30 PM
kostajh moved this task from Backlog to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Nov 4 2025, 12:56 PM
hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Nov 4 2025, 5:09 PM
hector.arroyo moved this task from Needs review to In progress on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Nov 7 2025, 12:53 PM

We've decided to follow a different approach, and tests are now failing. Moving this back to 'In Progress'.

hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Nov 7 2025, 4:32 PM
OKryva-WMF edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)).Mon, Nov 10, 12:14 PM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Mon, Nov 10, 12:14 PM
gerritbot added a comment.Tue, Nov 11, 12:35 PM

Change #1203803 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Fix secureEnclave tests

https://gerrit.wikimedia.org/r/1203803

gerritbot added a comment.Tue, Nov 11, 1:35 PM

Change #1201098 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Don't prevent form submissions unless making an edit

https://gerrit.wikimedia.org/r/1201098

gerritbot added a comment.Tue, Nov 11, 1:36 PM

Change #1203810 had a related patch set uploaded (by Kosta Harlan; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.2] hcaptcha: Don't prevent form submissions unless making an edit

https://gerrit.wikimedia.org/r/1203810

hector.arroyo moved this task from Needs review to Needs QA on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Tue, Nov 11, 1:43 PM
gerritbot added a comment.Tue, Nov 11, 1:57 PM

Change #1203810 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.2] hcaptcha: Don't prevent form submissions unless making an edit

https://gerrit.wikimedia.org/r/1203810

Stashbot added a comment.Tue, Nov 11, 1:58 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-11T13:58:10Z] <kharlan@deploy2002> Started scap sync-world: Backport for [[gerrit:1203810|hcaptcha: Don't prevent form submissions unless making an edit (T408693)]]

kostajh moved this task from In progress to QA on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Tue, Nov 11, 1:59 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.3; 2025-11-19).Tue, Nov 11, 2:00 PM
Stashbot added a comment.Tue, Nov 11, 2:02 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-11T14:02:20Z] <kharlan@deploy2002> kharlan: Backport for [[gerrit:1203810|hcaptcha: Don't prevent form submissions unless making an edit (T408693)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Tue, Nov 11, 2:12 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-11T14:12:00Z] <kharlan@deploy2002> Finished scap sync-world: Backport for [[gerrit:1203810|hcaptcha: Don't prevent form submissions unless making an edit (T408693)]] (duration: 13m 50s)

dom_walden mentioned this in T407661: hCaptcha: Disable submit button after initial button press.Wed, Nov 12, 11:51 AM
dom_walden moved this task from Needs QA to Done on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Fri, Nov 14, 2:44 PM

I haven't seen this bug happen since on testwiki.

kostajh closed this task as Resolved.Fri, Nov 14, 3:37 PM
hector.arroyo moved this task from QA to Done on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Wed, Nov 19, 1:42 PM
gerritbot added a comment.Wed, Nov 19, 2:40 PM

Change #1203803 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Fix secureEnclave tests

https://gerrit.wikimedia.org/r/1203803

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.4; 2025-11-25); removed MW-1.46-notes (1.46.0-wmf.3; 2025-11-19).Wed, Nov 19, 3:00 PM
Maintenance_bot removed a project: Patch-For-Review.Wed, Nov 19, 3:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits