Strange behavior when used with hcaptcha
-
Hi,
When I integrated your plugin into one of my websites, I noticed some strange behavior: even though I hadn’t checked the plugin option to disable the “Unauthorized content” message, I couldn’t get the plugin to display the expected message, and a blank space always appeared instead.
I tried to figure out what was going on, and after numerous debugging attempts, I noticed that when I used the get_option function to read the value of the WP option “cacsp_option_disable_content_not_allowed_message,” the returned value was always 1, no matter what I did with the corresponding plugin option. Strange, isn’t it?
To make a long story short, I finally noticed that disabling another plugin I was using solved the problem. The culprit is “hcaptcha for WP.”Reading the documentation and source code for the “hcaptcha for WP” plugin is very interesting. The documentation states that “hcaptcha for WP” is “integrated” with or “supports” the CACSP plugin, and the source code shows how this integration is implemented: the hcaptcha plugin filters the value returned by the get_option function when it reads three of the options defined by CACSP. This filtering aims, on the one hand, to automatically add the domain hcaptcha.com to the list of domains always allowed by CACSP and, on the other hand, to prevent CACSP from displaying the “Unauthorized content” message! But why does hcaptcha do this, and why isn’t the user informed of it???
Were you aware of this? I assume you are in contact with the authors of the hcaptcha plugin or that you can contact them.
Instead of this hidden and automatic integration by hcaptcha, would it be possible for you to offer an explicit solution, for example by adding hcaptcha to your list of plugins for which you offer to add allowed domains? You do this for reCaptcha. Why wouldn’t you do it for hcaptcha? And , of course, let the user decide whether to enable or disable the display of the “Unauthorized content” message!
In your opinion, what is the best approach to resolve this issue?Thanks in advance,
-
I found why I forced the option “Disable content not allowed message.” See how Contact From 7 with hCaptcha looks when I do not block this option.
Here, hCaptcha is loading, but has become non-functional due to the CACSP error message.
@erpiu, you can reach the same result by commenting out 1 line in the
\HCaptcha\CACSP\Compatibility::init_hooks.$cacsp_options = [
'cacsp_option_always_scripts',
'cacsp_option_always_frames',
// 'cacsp_option_disable_content_not_allowed_message',
];@jonkastonka, I have created a fork repository on GitHub and a PR with hCaptcha support: https://github.com/kagg-design/cookies-and-content-security-policy/pull/1/changes
You can implement changes in your plugin.
When released, I can remove the integration class from the hCaptcha plugin, which will resolve the current issue reported by @erpiu.
You must be logged in to reply to this topic.
