Page MenuHomePhabricator
Create Task
Maniphest T411927

Temporary account adding URL on first Publish attempt gets hCaptcha request, but no popup.
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
kostajh
Authored By
Commander_Keane
Dec 6 2025, 12:28 PM
Tags
Referenced Files
F70924287: image.png
Dec 7 2025, 9:11 PM
F70923112: image.png
Dec 7 2025, 8:34 PM
File Not Attached
F70890965: Screenshot From 2025-12-06 22-10-03.png
Dec 6 2025, 12:28 PM
F70890963: Screenshot From 2025-12-06 22-07-24.png
Dec 6 2025, 12:28 PM
Subscribers
Aklapper
Alien333
Commander_Keane
EMill-WMF
Johannnes89
kostajh
Xaosflux

Description

Steps to replicate the issue (include links if applicable):

  • When not logged in, visit a Wikipedia article
  • Edit source, insert a URL (eg [https://test.ca])
  • Click Publish changes

What happens?:

  • Edit does not get saved and user sees "Your edit includes new external links. To protect the wiki against automated spam, we kindly ask you to solve the following hCaptcha:"
  • However, there is nothing to solve. No popup.
  • Upon clicking Publish changes again, the hCaptcha appears.

What should have happened instead?:

  • The hCaptcha popup should have appeared on the first click of Publish changes

Other information (browser name/version, screenshots, etc.):

  • Desktop, Source editor. I confirmed on Firefox 143.0.3 Fedora. uBlockOrigin disabled. My screenshots below.
  • A Temporary account holder confirmed on Firefox, Chrome and Edge (Wikipedia Teahouse perm link).

First Publish attempt (note red text instructions above Publish changes button):

Screenshot From 2025-12-06 22-07-24.png (762×1 px, 148 KB)

Second publish attempt:
Screenshot From 2025-12-06 22-10-03.png (762×1 px, 343 KB)

Full screen showing state:

image.png (893×931 px, 166 KB)

Related Objects

Event Timeline

Commander_Keane created this task.Dec 6 2025, 12:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 6 2025, 12:28 PM
taavi added projects: ConfirmEdit (CAPTCHA extension), WE4.2 Bot detection (WE4.2 hCaptcha editing trial).Dec 6 2025, 12:30 PM
taavi added a project: Product Safety and Integrity.
Johannnes89 subscribed.Dec 6 2025, 12:38 PM

Another report: https://www.mediawiki.org/wiki/Talk:Product_Safety_and_Integrity/Anti-abuse_signals/hCaptcha#hCaptcha_does_not_show

Xaosflux mentioned this in T411961: Logged out users are being prompted for hCaptcha, but hCaptcha is not appearing.Dec 7 2025, 8:26 PM
Xaosflux triaged this task as High priority.Dec 7 2025, 8:29 PM
Xaosflux merged a task: T411961: Logged out users are being prompted for hCaptcha, but hCaptcha is not appearing.
Xaosflux subscribed.

Inherit priority from merged in ticket; this is preventing a core end user function: Contributing content to the projects

Xaosflux updated the task description. (Show Details)Dec 7 2025, 8:32 PM
Xaosflux added a subscriber: kostajh.
Alien333 subscribed.Dec 7 2025, 8:53 PM
kostajh added a comment.Dec 7 2025, 9:11 PM

Thanks for filing the task, and sorry for the issues being encountered here. The problem being reported is because we are using 100% passive mode for ConfirmEdit's "edit" trigger, with an "always challenge" mode set for the "addurl" trigger. The "addurl" trigger has always functioned after a page reload. We updated the AbuseFilter "showcaptcha" trigger (which has a similar flow of happening after a page reload) to tell the user that they need to resubmit the form, but we missed doing that for "addurl" when in 100% passive mode

image.png (1×1 px, 322 KB)

The problem will go away tomorrow (Dec 8) when we switch enwiki to use 99.9% passive mode. At that point, adding a URL will be treated like any other edit, with a challenge only being shown if hCaptcha finds the edit session to be suspicious of bot activity. The challenge would appear immediately on pressing "Publish changes", and not after a page reload.

kostajh claimed this task.Dec 7 2025, 9:11 PM
kostajh mentioned this in T411963: hCaptcha: Automatically resubmit "publish changes" when AbuseFilter's "showcaptcha" trigger is invoked.Dec 7 2025, 9:14 PM

I've also filed T411963: hCaptcha: Automatically resubmit "publish changes" when AbuseFilter's "showcaptcha" trigger is invoked to make the experience in the AbuseFilter "showcaptcha" path more intuitive.

EMill-WMF subscribed.EditedDec 7 2025, 9:16 PM

Just flagging that we are tracking this bug - thanks for documenting it here. Our initial team discussion about it suggests this is an unintended byproduct of running enwiki in 100% passive mode, and that it will be addressed when we move to 99.9% passive mode (which is scheduled for tomorrow morning, Monday).

(EDIT: While I had the page open to write this, @kostajh posted more detail above.)

Xaosflux added a comment.Dec 7 2025, 10:10 PM

Thanks for updates and that there is a quick resolution. Should this be delayed we can insert some help text in to the error message - instructing end users to resubmit the publish as a workaround.

kostajh moved this task from Backlog to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Dec 8 2025, 8:40 AM
kostajh closed this task as Resolved.Dec 8 2025, 8:52 AM
kostajh moved this task from In progress to Done on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.

This should be resolved now, having switched to using 99.9% passive mode on enwiki. hCaptcha will challenge suspicious sessions on edit/create/addurl on the first click to publish changes.

Xaosflux added a comment.Dec 8 2025, 10:30 AM

I did a test, the edit just went though - were you able to verify it actually works if the automatic hcaptcha failed?

kostajh added a comment.Dec 8 2025, 10:49 AM
In T411927#11439859, @Xaosflux wrote:

I did a test, the edit just went though - were you able to verify it actually works if the automatic hcaptcha failed?

Yes. I have a scripted environment to check if the hCaptcha challenge is triggered

const { remote } = require('webdriverio');

async function testCaptchaProtection() {
    const browser = await remote({
        capabilities: {
            browserName: 'chrome',
            'goog:chromeOptions': {
                args: ['--disable-blink-features=AutomationControlled', '--ignore-certificate-errors']
            }
        }
    });

    try {
        await browser.url('https://en.wikipedia.org/wiki/Test?action=edit'); // navigate to whatever page you want after the browser loads
        
        await browser.waitUntil(async () => {
            const title = await browser.getTitle();
            return title.length > 0;
        }, { timeout: 3000000 });
        await browser.pause( 3000000 );
    } catch (error) {
        console.error('Error during test:', error.message);
    } finally {
        await browser.deleteSession();
    }
}

testCaptchaProtection();

with a package.json of:

{
  "dependencies": {
    "webdriverio": "^9.19.2"
  }
}
Xaosflux awarded a token.Dec 8 2025, 12:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits