I've been noticing an uptick on spam emails being sent through my contact form. As a test, I disabled javascript on the form. The "I am not a robot" with checkbox block gets replaced with the message "Please enable JavaScript to get a reCAPTCHA challenge." And I was able to successfully submit the form which totally defeats the purpose of having a captcha.
I tried unchecking the "Enable fallback for browsers with JavaScript disabled" button and testing with Javascript disabled again. This time I don't see any recaptcha block. When I submit the form I get an error msg "The answer you entered for the CAPTCHA was not correct." So I guess that's working and I shouldn't have enabled the checkbox? Is that the expected behavior?
The help text under the "Enable fallback" button is not helpful. "If JavaScript is a requirement for your site, you should not enable this feature. With this enabled, a compatibility layer will be added to the captcha to support non-js users."
I don't consider Javascript a requirement for the site so that's why I had this checked. "With this enabled, a compatibility layer will be added to the captcha to support non-js users." -- I have no idea what this means.
So I don't know if this is working as expected but the UI needs some improvement.
Comments
Comment #2
hass CreditAttribution: hass commentedAs Google designed it to work.
Comment #3
codesmithUpdating to improve the documentation. @hass - super unhelpful response.
Comment #4
codesmithComment #5
codesmithComment #6
hass CreditAttribution: hass commentedLooks like you changed your case intro. Google designed it work with js only. I cannot change this.
Not sure why noscript feature may no longer work. Please review the google docs and share a patch that fixes the bug. This is for sure not correct.
Comment #7
ultimikeThis still appears to be a bug - or at the very least, unexpected behavior.
Regardless of how Google designed it, I think this module should provide the option to prevent submissions when Javascript is disabled.
-mike
Comment #8
Rick Hood CreditAttribution: Rick Hood commentedHi,
We've also seen an uptick in spam with reCaptcha enabled.
I am a bit confused about the above discussion:
If you leave the Enable fallback for browsers with JavaScript disabled unchecked, submissions will be blocked if a user turns off JavaScript, right?
The issue is that without JavaScript there is no way to submit the form, is that correct?
We have it unchecked, yet are getting a bunch of spam now, all from Russia.
Any solutions? Are either of these better?
reCAPTCHA v3
https://www.drupal.org/project/recaptcha_v3
Honeypot
https://www.drupal.org/project/honeypot
Thanks for any advice/help.
- Rick
Comment #9
codesmithThe "Enable fallback" checkbox should be unchecked. This will make sure the captcha fails if javascript is disabled.
Comment #10
Liam Morland8.x-2.x is no longer supported. If this applies to 8.x-3.x, please re-open.
Comment #11
clemorphy CreditAttribution: clemorphy commentedI have this problem with 3.2.0.
When "enable fallback" is not checked, with JS disabled no captcha is displayed and I am able to submit the form.
When "enable fallback" is checked, with JS disabled a message "Please enable JavaScript to get a reCAPTCHA challenge." is displayed, but I am still able to submit the form. And that is an issue.
Comment #12
clemorphy CreditAttribution: clemorphy commentedComment #13
Liam Morland