⚓ T411927 Temporary account adding URL on first Publish attempt gets hCaptcha request, but no popup.

⚓ T411927 Temporary account adding URL on first Publish attempt gets hCaptcha request, but no popup.
Page Menu
Phabricator
Create Task
Maniphest
T411927
Temporary account adding URL on first Publish attempt gets hCaptcha request, but no popup.
Closed, Resolved
Public
BUG REPORT
Actions
Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Assigned To
kostajh
Authored By
Commander_Keane
Dec 6 2025, 12:28 PM
2025-12-06 12:28:20 (UTC+0)
Tags
ConfirmEdit (CAPTCHA extension)
(Backlog)
Bot detection and mitigation (WE4.2 hCaptcha editing trial)
(Done)
Product Safety and Integrity
(Inbox)
Referenced Files
F70924287: image.png
Dec 7 2025, 9:11 PM
2025-12-07 21:11:12 (UTC+0)
F70923112: image.png
Dec 7 2025, 8:34 PM
2025-12-07 20:34:01 (UTC+0)
File Not Attached
F70890965: Screenshot From 2025-12-06 22-10-03.png
Dec 6 2025, 12:28 PM
2025-12-06 12:28:20 (UTC+0)
F70890963: Screenshot From 2025-12-06 22-07-24.png
Dec 6 2025, 12:28 PM
2025-12-06 12:28:20 (UTC+0)
Subscribers
Aklapper
Alien333
Commander_Keane
EMill-WMF
Johannnes89
kostajh
Xaosflux
Description
Steps to replicate the issue
(include links if applicable):
When not logged in, visit a Wikipedia article
Edit source, insert a URL (eg [https://test.ca])
Click
Publish changes
What happens?
Edit does not get saved and user sees "Your edit includes new external links. To protect the wiki against automated spam, we kindly ask you to solve the following hCaptcha:"
However, there is nothing to solve. No popup.
Upon clicking
Publish changes
again, the hCaptcha appears.
What should have happened instead?
The hCaptcha popup should have appeared on the first click of
Publish changes
Other information
(browser name/version, screenshots, etc.):
Desktop, Source editor. I confirmed on Firefox 143.0.3 Fedora. uBlockOrigin disabled. My screenshots below.
A Temporary account holder confirmed on Firefox, Chrome and Edge (
Wikipedia Teahouse perm link
).
First Publish attempt (note red text instructions above
Publish changes
button):
Second publish attempt:
Full screen showing state:
Related Objects
Mentions
Duplicates
Mentioned In
T411963: hCaptcha: Automatically resubmit "publish changes" when AbuseFilter's "showcaptcha" trigger is invoked
T411961: Logged out users are being prompted for hCaptcha, but hCaptcha is not appearing
Mentioned Here
T411963: hCaptcha: Automatically resubmit "publish changes" when AbuseFilter's "showcaptcha" trigger is invoked
Duplicates Merged Here
T411961: Logged out users are being prompted for hCaptcha, but hCaptcha is not appearing
Event Timeline
Commander_Keane
created this task.
Dec 6 2025, 12:28 PM
2025-12-06 12:28:20 (UTC+0)
Restricted Application
added a subscriber:
Aklapper
View Herald Transcript
Dec 6 2025, 12:28 PM
2025-12-06 12:28:20 (UTC+0)
taavi
added projects:
ConfirmEdit (CAPTCHA extension)
Bot detection and mitigation (WE4.2 hCaptcha editing trial)
Dec 6 2025, 12:30 PM
2025-12-06 12:30:54 (UTC+0)
taavi
added a project:
Product Safety and Integrity
Johannnes89
subscribed.
Dec 6 2025, 12:38 PM
2025-12-06 12:38:04 (UTC+0)
Comment Actions
Another report:
Xaosflux
mentioned this in
T411961: Logged out users are being prompted for hCaptcha, but hCaptcha is not appearing
Dec 7 2025, 8:26 PM
2025-12-07 20:26:45 (UTC+0)
Xaosflux
triaged this task as
High
priority.
Dec 7 2025, 8:29 PM
2025-12-07 20:29:48 (UTC+0)
Xaosflux
merged a task:
T411961: Logged out users are being prompted for hCaptcha, but hCaptcha is not appearing
Xaosflux
subscribed.
Comment Actions
Inherit priority from merged in ticket; this is preventing a core end user function: Contributing content to the projects
Xaosflux
updated the task description.
(Show Details)
Dec 7 2025, 8:32 PM
2025-12-07 20:32:58 (UTC+0)
Xaosflux
added a subscriber:
kostajh
Alien333
subscribed.
Dec 7 2025, 8:53 PM
2025-12-07 20:53:20 (UTC+0)
kostajh
added a comment.
Dec 7 2025, 9:11 PM
2025-12-07 21:11:12 (UTC+0)
Comment Actions
Thanks for filing the task, and sorry for the issues being encountered here. The problem being reported is because we are using 100% passive mode for ConfirmEdit's "edit" trigger, with an "always challenge" mode set for the "addurl" trigger. The "addurl" trigger has always functioned after a page reload. We updated the AbuseFilter "showcaptcha" trigger (which has a similar flow of happening after a page reload) to tell the user that they need to resubmit the form, but we missed doing that for "addurl" when in 100% passive mode
The problem will go away tomorrow (Dec 8) when we switch enwiki to use 99.9% passive mode. At that point, adding a URL will be treated like any other edit, with a challenge only being shown if hCaptcha finds the edit session to be suspicious of bot activity. The challenge would appear immediately on pressing "Publish changes", and not after a page reload.
kostajh
claimed this task.
Dec 7 2025, 9:11 PM
2025-12-07 21:11:32 (UTC+0)
kostajh
mentioned this in
T411963: hCaptcha: Automatically resubmit "publish changes" when AbuseFilter's "showcaptcha" trigger is invoked
Dec 7 2025, 9:14 PM
2025-12-07 21:14:26 (UTC+0)
Comment Actions
I've also filed
T411963: hCaptcha: Automatically resubmit "publish changes" when AbuseFilter's "showcaptcha" trigger is invoked
to make the experience in the AbuseFilter "showcaptcha" path more intuitive.
EMill-WMF
subscribed.
Edited
Dec 7 2025, 9:16 PM
2025-12-07 21:16:35 (UTC+0)
Comment Actions
Just flagging that we are tracking this bug - thanks for documenting it here. Our initial team discussion about it suggests this is an unintended byproduct of running enwiki in 100% passive mode, and that it will be addressed when we move to 99.9% passive mode (which is scheduled for tomorrow morning, Monday).
(EDIT: While I had the page open to write this,
@kostajh
posted more detail above.)
Xaosflux
added a comment.
Dec 7 2025, 10:10 PM
2025-12-07 22:10:39 (UTC+0)
Comment Actions
Thanks for updates and that there is a quick resolution. Should this be delayed we can insert some help text in to the error message - instructing end users to resubmit the publish as a workaround.
kostajh
moved this task from
Backlog
to
In progress
on the
Bot detection and mitigation (WE4.2 hCaptcha editing trial)
board.
Dec 8 2025, 8:40 AM
2025-12-08 08:40:44 (UTC+0)
kostajh
closed this task as
Resolved
Dec 8 2025, 8:52 AM
2025-12-08 08:52:38 (UTC+0)
kostajh
moved this task from
In progress
to
Done
on the
Bot detection and mitigation (WE4.2 hCaptcha editing trial)
board.
Comment Actions
This should be resolved now, having switched to using 99.9% passive mode on enwiki. hCaptcha will challenge suspicious sessions on edit/create/addurl on the first click to publish changes.
Xaosflux
added a comment.
Dec 8 2025, 10:30 AM
2025-12-08 10:30:12 (UTC+0)
Comment Actions
I did a test, the edit just went though - were you able to verify it actually works if the automatic hcaptcha failed?
kostajh
added a comment.
Dec 8 2025, 10:49 AM
2025-12-08 10:49:55 (UTC+0)
Comment Actions
In
T411927#11439859
@Xaosflux
wrote:
I did a test, the edit just went though - were you able to verify it actually works if the automatic hcaptcha failed?
Yes. I have a scripted environment to check if the hCaptcha challenge is triggered
const
remote
require
'webdriverio'
);
async
function
testCaptchaProtection
()
const
browser
await
remote
({
capabilities
browserName
'chrome'
'goog:chromeOptions'
args
'--disable-blink-features=AutomationControlled'
'--ignore-certificate-errors'
});
try
await
browser
url
'https://en.wikipedia.org/wiki/Test?action=edit'
);
// navigate to whatever page you want after the browser loads
await
browser
waitUntil
async
()
=>
const
title
await
browser
getTitle
();
return
title
length
},
timeout
3000000
});
await
browser
pause
3000000
);
catch
error
console
error
'Error during test:'
error
message
);
finally
await
browser
deleteSession
();
testCaptchaProtection
();
with a
package.json
of:
"dependencies"
"webdriverio"
"^9.19.2"
Xaosflux
awarded a token.
Dec 8 2025, 12:24 PM
2025-12-08 12:24:39 (UTC+0)
Log In to Comment
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct.
Wikimedia Foundation
Code of Conduct
Disclaimer
CC-BY-SA
GPL
Credits