search

silverstripe / silverstripe-framework

Silverstripe Framework, the MVC framework that powers Silverstripe CMS
https://www.silverstripe.org
BSD 3-Clause "New" or "Revised" License
722 stars 821 forks source link

Embedded Vimeo videos fall back to Link instead of Recaptcha #10247

Open andrewandante opened 2 years ago

andrewandante commented 2 years ago

Affected Version

4

Description

We are seeing a lot of rate-limited responses to embedded Vimeo videos on SCPS-CCL infrastructure - I believe this is because it treats all requests as coming from the same IP, but that's beside the point. When this happens, it returns a recaptcha/verification widget that is HTML, that should be rendered on the page for the user; instead it is turned into a link that looks like this:

image

While admittedly that takes the user to the appropriate video, it does fundamentally look terrible and doesn't go away once clicked.

The actual response from Vimeo is something like:

<div class="content">
  <h1>Verify to continue</h1>
  <p>We detected a high number of errors from your connection. To continue, please confirm you're a human (and not a spambot).</p>
  <form id="form" action="https://vimeo.com/_unblock_ratelimit" method="post">
    <div class="g-recaptcha" data-sitekey="big_ol_string" data-theme="light" data-callback="done"></div>
  </form>
</div>

So it would seem that we could pull that out, rather than just pulling out the <h1> and using it as the link

Steps to Reproduce

Triggering the rate-limit is hard but it happens on the SCPS-CCL infra every few months.

emteknetnz commented 2 years ago

We could probably do something here as, in the rework, EmbedContainer will look at the returned HTML to determine the type. Can you provide a sample of the returned HTML when it's a recaptcha?

andrewandante commented 2 years ago

the returned HTML

Yeah it's in the issue description - that piece of HTML is the response you get (except with an actual site key rather than big_ol_string). Response code is 403.

kinglozzer commented 2 years ago

When this happens, it returns a recaptcha/verification widget that is HTML, that should be rendered on the page for the user

Are you sure? Isn’t the challenge being presented to the webserver and not the end user?

andrewandante commented 2 years ago

Isn’t the challenge being presented to the webserver and not the end user?

I guess sort of? The webserver is the source, it seems - but the user has the power to say "this is legitimate". Should look something like the image in this post when rendered: https://news.ycombinator.com/item?id=23897370

kinglozzer commented 2 years ago

Ah okay - I wasn’t sure if the user would be allowed to solve the captcha given that they’ll be coming from a different IP address, but if they can then that makes sense 😄