search

magento / security-package

Magento Security Extensions
Open Software License 3.0
73 stars 69 forks source link

Load recaptcha related files on focus of the form fields. #334

Open Bashev opened 9 months ago

Bashev commented 9 months ago

Description (*)

reCaptcha remote files will be loaded only if customer (visitor) focus on the fields for the form for which reCaptcha is enabled. This will reduce loaded files and immediately reflects to loading time.

Fixed Issues (if relevant)

  1. Fixes https://github.com/magento/security-package/issues/333
  2. Fixes https://github.com/magento/magento2/issues/38303

Manual testing scenarios (*)

  1. Enable reCaptcha (no matter which version) for Newsletter, Contact Form, Review, Registration or ... anything.
  2. Load the page which will contains form for which reCaptcha is enabled (Ex. Contact form /contact)
  3. ReCaptcha external (gstatic.com) files will not be loaded (you will not see the logo of the recaptcha or loaded files in the network tab of the browser developer inspector).
  4. Click on the first or random field (Ex. Name)
  5. Recaptcha files will be loaded and you will see logo of the repCaptcha somewhere on the page as you are configured in the step 1.

Questions or comments

Contribution checklist (*)

Bashev commented 9 months ago

@magento give me 2.4-develop instance

magento-deployment-service[bot] commented 9 months ago

Hi @Bashev. Thank you for your request. I'm working on Magento instance for you.

magento-deployment-service[bot] commented 9 months ago

Hi @Bashev, unfortunately there is no ability to deploy Magento instance at the moment. Please try again later.

Bashev commented 9 months ago

@magento give me 2.4-develop instance

magento-deployment-service[bot] commented 9 months ago

Hi @Bashev. Thank you for your request. I'm working on Magento instance for you.

magento-deployment-service[bot] commented 9 months ago

Hi @Bashev, unfortunately there is no ability to deploy Magento instance at the moment. Please try again later.

Bashev commented 9 months ago

@magento run all tests

magento-automated-testing[bot] commented 9 months ago

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please message the #magento-devops slack channel if they don't show in a reasonable amount of time and a representative will look into any issues.

Bashev commented 9 months ago

@magento run all tests

magento-automated-testing[bot] commented 9 months ago

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please message the #magento-devops slack channel if they don't show in a reasonable amount of time and a representative will look into any issues.

ihor-sviziev commented 9 months ago

@Bashev, unfortunately, I don't have write permissions to this repo. Could you please change

Fixed Issues (if relevant)
1. https://github.com/magento/security-package/issues/333
2. https://github.com/magento/magento2/issues/38303

to 

Fixed Issues (if relevant)
1. Fixes https://github.com/magento/security-package/issues/333
2. Fixes https://github.com/magento/magento2/issues/38303

so that two issues will be automatically closed when this PR will be merged

Bashev commented 9 months ago

@magento run Functional Tests CE, Functional Tests EE

magento-automated-testing[bot] commented 9 months ago

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please message the #magento-devops slack channel if they don't show in a reasonable amount of time and a representative will look into any issues.

Bashev commented 9 months ago

@ihor-sviziev @fredden, I think the error from the failed test is not related to the PR.

Bashev commented 9 months ago

@magento run Functional Tests CE

magento-automated-testing[bot] commented 9 months ago

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please message the #magento-devops slack channel if they don't show in a reasonable amount of time and a representative will look into any issues.

ihor-sviziev commented 9 months ago

@Bashev, I saw the comment from @techtoni in https://github.com/magento/magento2/issues/38303#issuecomment-1866115302:

Re invisible reCaptcha v3 - the way this technology works is it tracks the user behaviour through the website to establish if it is real user or a bot. It is supposed to be included on all pages, not loaded after a form is interacted with, see documentation - https://developers.google.com/recaptcha/docs/v3

It looks like this PR actually changes behavior for v2 invisible and v3 invisible, which means v3 might work incorrectly due to this change. Could you please double-check that?

Bashev commented 9 months ago

@ihor-sviziev i saw the comment also, and also read the documentation.

reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.

Works best not means, it's mandatory. From my point of view this not break the rules of reCAPTCHA. Yes probably this will have some negative impact of the scoring, but will be acceptable.

All of us knows, Google uses reCAPTCHA also to track user behavior and this is the main reason for which they want to have it on all pages.

Bashev commented 5 months ago

@magento run Functional Tests CE