Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I've been noticing an uptick on spam emails being sent through my contact form. As a test, I disabled javascript on the form. The "I am not a robot" with checkbox block gets replaced with the message "Please enable JavaScript to get a reCAPTCHA challenge." And I was able to successfully submit the form which totally defeats the purpose of having a captcha.
I tried unchecking the "Enable fallback for browsers with JavaScript disabled" button and testing with Javascript disabled again. This time I don't see any recaptcha block. When I submit the form I get an error msg "The answer you entered for the CAPTCHA was not correct." So I guess that's working and I shouldn't have enabled the checkbox? Is that the expected behavior?
The help text under the "Enable fallback" button is not helpful. "If JavaScript is a requirement for your site, you should not enable this feature. With this enabled, a compatibility layer will be added to the captcha to support non-js users."
I don't consider Javascript a requirement for the site so that's why I had this checked. "With this enabled, a compatibility layer will be added to the captcha to support non-js users." -- I have no idea what this means.
So I don't know if this is working as expected but the UI needs some improvement.
Comments
Comment #2
hass CreditAttribution: hass commentedAs Google designed it to work.
Comment #3
codesmithUpdating to improve the documentation. @hass - super unhelpful response.
Comment #4
codesmithComment #5
codesmithComment #6
hass CreditAttribution: hass commentedLooks like you changed your case intro. Google designed it work with js only. I cannot change this.
Not sure why noscript feature may no longer work. Please review the google docs and share a patch that fixes the bug. This is for sure not correct.
Comment #7
ultimikeThis still appears to be a bug - or at the very least, unexpected behavior.
Regardless of how Google designed it, I think this module should provide the option to prevent submissions when Javascript is disabled.
-mike
Comment #8
Rick Hood CreditAttribution: Rick Hood commentedHi,
We've also seen an uptick in spam with reCaptcha enabled.
I am a bit confused about the above discussion:
If you leave the Enable fallback for browsers with JavaScript disabled unchecked, submissions will be blocked if a user turns off JavaScript, right?
The issue is that without JavaScript there is no way to submit the form, is that correct?
We have it unchecked, yet are getting a bunch of spam now, all from Russia.
Any solutions? Are either of these better?
reCAPTCHA v3
https://www.drupal.org/project/recaptcha_v3
Honeypot
https://www.drupal.org/project/honeypot
Thanks for any advice/help.
- Rick
Comment #9
codesmithThe "Enable fallback" checkbox should be unchecked. This will make sure the captcha fails if javascript is disabled.
Comment #10
Liam Morland8.x-2.x is no longer supported. If this applies to 8.x-3.x, please re-open.
Comment #11
clemorphy CreditAttribution: clemorphy commentedI have this problem with 3.2.0.
When "enable fallback" is not checked, with JS disabled no captcha is displayed and I am able to submit the form.
When "enable fallback" is checked, with JS disabled a message "Please enable JavaScript to get a reCAPTCHA challenge." is displayed, but I am still able to submit the form. And that is an issue.
Comment #12
clemorphy CreditAttribution: clemorphy commentedComment #13
Liam Morland