k1ng440
commented
3 years ago Closed BTCAlchemist closed 1 year ago
k1ng440
commented
3 years ago 
BTCAlchemist
commented
3 years ago Looks like @k1ng440 is having this issue as well. @ppopth Could you help?
gmt2001
commented
3 years ago Some web developer console messages to help with this (Firefox 91.0.1)
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Couldn’t parse invalid host 'unsafe-hashes'
Content Security Policy: Couldn’t process unknown directive ‘prefetch-src’
Loading failed for the <script> with source “https://accounts.hcaptcha.com/1/api.js?hl=en&endpoint=https%3A%2F%2Fhcaptcha.com”. privacy-pass:18:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://accounts.hcaptcha.com/1/api.js?hl=en&endpoint=https%3A%2F%2Fhcaptcha.com (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
ignat980
commented
3 years ago Same issue here!
ppopth
commented
3 years ago Thank you for the report. I'm looking at it. I will get back here soon.
ppopth
commented
3 years ago 
armfazh
commented
3 years ago cc @durch (hCaptcha)
AstralDestiny
commented
3 years ago Got some then when trying to get more it used a pass instead and very quickly told me I wouldn't be able to get more until it all ran out it seems.
gmt2001
commented
3 years ago As of today, this appears to be resolved on Firefox 91.0.2 with plugin version 2.0.9. It took 2 tries, but I was able to get my 5 hCaptcha passes
ppopth
commented
3 years ago @gmt2001 I tried many times until I can get passes. I think I'm going to make it always work before marking this issue as resolved.
ppopth
commented
3 years ago It seems like hCaptcha just added the json body to their
checkcaptcharequest. Previously, it has no body and we sent the blinded tokens as a post param in the body of such request.
My previous comment as quoted above may be wrong. I just noticed that with the extension installed the browser sends 2 checkcaptcha requests instead of 1 request: one is for sending the captcha answer and one is for issuing the passes.
I'm not sure why hCaptcha really needs 2 requests in this case. The protocol should have only one request.
I think it's good to document the protocol for hCaptcha somewhere
durch
commented
3 years ago Hi folks! Apologies I’ve missed the original notification. We’ll go over our implementation internally and see if we can make improvements to get it to full protocol compliance. Will keep you posted
e271828-
commented
3 years ago This is working for me on FF and Chrome. Seems like a stale issue.
BTCAlchemist
commented
3 years ago It just worked for me on Brave browser. I wouldn't say this is a stale issue, but it appears to have been fixed today. Is anyone else available to test it?
levicki
commented
3 years ago I just visited https://captcha.website/ to test if it is possible to get CloudFlare tokens, but all I got is hCaptcha prompt on that page asking me to prove I am human.
This is getting ridiculous -- spending hCaptcha tokens to earn CloudFlare tokens doesn't make sense.
@durch I keep getting false positives on every CloudFlare protected website using hCaptcha every time I visit them in a new browser session (I am using Brave on Windows 10). I am sure my own home network and all devices in it are malware-free. Having to solve hCaptcha on every site visit is getting mighty annoying, is there anyone from hCaptcha team who can suggest some troubleshooting steps?
e271828-
commented
3 years ago I just visited https://captcha.website/ to test if it is possible to get CloudFlare tokens, but all I got is hCaptcha prompt on that page asking me to prove I am human.
This is getting ridiculous -- spending hCaptcha tokens to earn CloudFlare tokens doesn't make sense.
@durch I keep getting false positives on every CloudFlare protected website using hCaptcha every time I visit them in a new browser session (I am using Brave on Windows 10). I am sure my own home network and all devices in it are malware-free. Having to solve hCaptcha on every site visit is getting mighty annoying, is there anyone from hCaptcha team who can suggest some troubleshooting steps?
This has nothing to do with hCaptcha: Cloudflare (and its users) decide when to show a challenge.
levicki
commented
3 years ago This has nothing to do with hCaptcha: Cloudflare (and its users) decide when to show a challenge.
I understand that you are correct in the technical sense. However, this still has something to do with hCaptcha so please hear me out.
Perception of a regular, non tech-savvy user is that hCaptcha is the problem, because that's what is prominently shown at the top center of the page and what they have to deal with. Cloudflare is mentioned in small font at the very bottom of the page which you can't read even in full screen mode at 1080p:
Cloudflare is using hCaptcha while giving end users absolutely no recourse when they are unfairly judged as a bot. There is no "contest this check" link, no "report a problem" link, no contact email for Cloudflare support to even try to reach a human being in an attempt to find the problem and fix it.
IMO this is just souring hCaptcha (and Privacy Pass because it makes it useless) for end users and hCaptcha and Privacy Pass developers should lean on Cloudflare (because the end users cannot) to include a way to complain about repeated misidentifications if they want to continue using it.
ppopth
commented
3 years ago @levicki
This is getting ridiculous -- spending hCaptcha tokens to earn CloudFlare tokens doesn't make sense.
Yes, this doesn't make sense and we have a plan to fix this issue soon. However, this is not related to the issue since this issue is about the hCaptcha captchas outside the Cloudflare pages like
ppopth
commented
3 years ago @durch Do you have any update? I think it's better if we can document the Privacy Pass protocol on hCaptcha tokens in both the issuance stage and redemption stage, so that I can help debug it when there is an issue next time.
levicki
commented
3 years ago @ppopth
Yes, this doesn't make sense and we have a plan to fix this issue soon.
Very well, in the meantime I have uninstalled Privacy Pass because it is useless due to Cloudflare's overzealousness, and I have stopped visiting all websites which use Cloudflare and hCaptcha -- I don't want an intersection of those two faceless "security through obscurity" technologies treating me as a criminal without due process while they shamelessly use my eyeballs and clicks to generate revenue.
fisforfaheem
commented
3 years ago no o ne i willling to fix this
ppopth
commented
2 years ago @durch hi, do you have any documentation on Privacy Pass protocol for hCaptcha? We just released v3.0.0 last month which has a big refactor of the extension code base. As a result, we didn't include the hCaptcha implementation because we don't know how it works. I think some kind of documentation will help. Otherwise, I have to spend some time to dig into the v2 code.
fisforfaheem
commented
2 years ago tired of this nonsense the hcaptca has made the web useless for me tired of this nonsense
[image: Mailtrack] https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11& Sender notified by Mailtrack https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11& 12/17/21, 01:35:21 AM
On Thu, Dec 16, 2021 at 4:05 PM Suphanat Chunhapanya < @.***> wrote:
@durch https://github.com/durch hi, do you have any documentation on Privacy Pass protocol for hCaptcha? We just released v3.0.0 last month which has a big refactor of the extension code base. As a result, we didn't include the hCaptcha implementation because we don't know how it works. I think some kind of documentation will help. Otherwise, I have to spend some time to dig into the v2 code.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/privacypass/challenge-bypass-extension/issues/247#issuecomment-995687867, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRXJSEN7XV2FRJCG46TRWLURHBXTANCNFSM5CCHJNQQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
warren-bank
commented
2 years ago 
theg00s3
commented
2 years ago As a result, we didn't include the hCaptcha implementation because we don't know how it works
Well that's a horrendous decision
armfazh
commented
1 year ago Some good news: Support for hCaptcha tokens has been re-enabled as of v3.0.4
BTCAlchemist
commented
1 year ago @armfazh I appreciate the update. I am using v3.0.4. I just completed hcaptcha challenges to earn hcaptcha passes at https://www.hcaptcha.com/privacy-pass (screenshot below). However, the extension is still showing 0 passes. I am on Brave browser on macOS. What else do you suggest I try?
armfazh
commented
1 year ago I just completed hcaptcha challenges to earn hcaptcha passes at https://www.hcaptcha.com/privacy-pass (screenshot below). However, the extension is still showing 0 passes. I am on Brave browser on macOS. What else do you suggest I try?
@fedecarpy : are there any changes or disruption observed in the hCaptcha side?
Describe the bug The Privacy Pass web page to earn new passes (https://www.hcaptcha.com/privacy-pass) does not load the widget to earn passes.
To Reproduce Steps to reproduce the behavior:
Expected behavior The hCaptcha check box would load
System (please complete the following information):