Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reCAPTCHA blocked in China #3174

Closed
JacksonWuxs opened this issue Mar 8, 2018 · 56 comments
Closed

reCAPTCHA blocked in China #3174

JacksonWuxs opened this issue Mar 8, 2018 · 56 comments
Labels
bug 🐛 help needed We'd love volunteers to advise on or help fix/implement this.

Comments

@JacksonWuxs
Copy link

A pypi ID is necessary while Iwould like to share and upload a package on pypi. Unfortunnatly, there was something wrong with the website of "https://pypi.org/account/register/". After writing the all information, an ERROR was arise named "Recaptcha error.".
I'm not sure if that is caused by China Internet?

@ewdurbin
Copy link
Member

ewdurbin commented Mar 8, 2018

It looks like our Register page may be blocking the "additional screening" required by the recaptcha on occasion. Generally a modal that pops over and requests that a user click on objects that look like a "street sign" or "storefront"

@di @nlhkabu any ideas?

@dstufft
Copy link
Member

dstufft commented Mar 8, 2018

Might be something related to the CSP policy.

@di
Copy link
Member

di commented Mar 8, 2018

@JacksonWuxs Are you seeing a reCAPTCHA like this on the register page?

screen shot 2018-03-08 at 9 15 06 am

@UlionTse
Copy link

UlionTse commented Mar 9, 2018

@di @ewdurbin I also don't see CAPTCHA in China. See below,

@dstufft
Copy link
Member

dstufft commented Mar 9, 2018

Oh interesting, I wonder if China is blocking recaptcha.

@dstufft
Copy link
Member

dstufft commented Mar 9, 2018

Okay, so according to @reaperhulk Recaptcha doesn't work in China, that is... unfortunate.

@dstufft
Copy link
Member

dstufft commented Mar 9, 2018

Some more information google/recaptcha#87

@UlionTse
Copy link

UlionTse commented Mar 9, 2018

@dstufft I see, thanks.

@dstufft dstufft added bug 🐛 and removed support labels Mar 9, 2018
@dstufft
Copy link
Member

dstufft commented Mar 9, 2018

Not sure what (if any) milestone we should add this to, but getting this fixed is super important since currently all of China can't interact with anything on Warehouse that requires a captcha. /cc @brainwane

@brainwane brainwane added this to the 3: Publicize beta milestone Mar 9, 2018
@di di changed the title Cannot register a new pypi ID reCAPTCHA blocked in China Mar 9, 2018
@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 10, 2018 via email

@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 10, 2018 via email

@di
Copy link
Member

di commented Mar 10, 2018

@JacksonWuxs If you let me know the email address and username you'd like to use, I can register an account on your behalf, and then we can do a password reset so you can get access to it.

@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 11, 2018 via email

@di
Copy link
Member

di commented Mar 11, 2018

@JacksonWuxs Done, you should have a password reset email in your inbox.

Leaving this issue open until we resolve the larger problem of using reCAPTCHA in China.

@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 11, 2018 via email

@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 12, 2018 via email

@di
Copy link
Member

di commented Mar 12, 2018

@JacksonWuxs No apology necessary. The datapy project already exists, you'll need to choose a new name.

@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 12, 2018 via email

@di
Copy link
Member

di commented Mar 12, 2018

@JacksonWuxs You can search here: https://pypi.org/search/, for example https://pypi.org/search/?q=datapy.

@JacksonWuxs
Copy link
Author

JacksonWuxs commented Mar 13, 2018 via email

@brainwane
Copy link
Contributor

I'd love advice on how we should address this. Right now I believe this is the biggest blocker stopping us from going to the beta stage and doing our publicity push.

@dstufft
Copy link
Member

dstufft commented Mar 14, 2018

We're probably going to have to use a different captcha solution, at least in china if not everywhere. At least that's the only thing I can think of.

@ncoghlan
Copy link
Contributor

Some basic notes at https://stackoverflow.com/questions/23780387/recaptcha-availability-in-china that sum up to "Don't use recaptcha if you have users in China".

@tylerdave
Copy link

tylerdave commented Mar 14, 2018

It's been a while but I've used this with success when I needed a captcha solution that worked in China in the past: https://captcha.com/ (note that there's no Python backend though.)

@pradyunsg
Copy link
Contributor

Someone claimed that recaptcha.net would work, because that domain is not blocked according to greatfire.org, and its SSL certificate is Google's misc services cert (so it looks legit). However, someone else reported that recaptcha.net still makes a request to www.google.com, which would fail in China.

That's already been mentioned in this thread @cpdyj.

@batou-mtcapthca
Copy link

reCaptcha v2 is not guaranteed to work in china due to its dependencies on google.com which is blocked. One can look at https://captcha.com/ to host their own, or https://www.mtcaptcha.com for a paid for recaptcha alternative. Both would work in China.

@Dorro101
Copy link

Hi

I am currently residing in Nanjing, China. I was temporarily unable to create an account because of the reCAPTCHA issue and the blanket blocking of google.com and its APIs. I was, however, able to get around this using the audio function by clicking on the speaker/volume (sic) icon and entering a code provided by audio playback.

@JacksonWuxs
Copy link
Author

Well there was long time after I rose the issue. Finally, I solved this problem with a proxy software which let me go through the fire wall of China Internet.

Due to the reason that China government locked most of responses from abroad, including APIs from Google, the reCAPTCHA issue happened. If anyone face the same issue in the future, the best solution is buying a proxy. At that moment, you can not only create an account, you also search papers or more information with Google conveniencely.

@ShikiSuen

This comment has been minimized.

@pypi pypi locked as resolved and limited conversation to collaborators May 27, 2020
@di
Copy link
Member

di commented Mar 17, 2023

Unfortunately, we needed to re-enable reCAPTCHA in #13232 due to the changes in #3339 eventually becoming insufficient to prevent spam signups. For any user that is affected by this, your best option at this time would be to use a proxy. Our sincere apologies for this inconveneince!

@ewdurbin
Copy link
Member

New guidance: https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally

With an additional step not noted in googles docs regarding the need to add gstatic.cn to CSP: https://stackoverflow.com/a/57855838

@di
Copy link
Member

di commented Mar 18, 2023

Looking at the comments there, it seems like this doesn't work anymore, however it might be worth doing anyways and the "proxying" solution there might be something we could implement instead.

I'm going to unlock this issue to give our users in China the ability to tell us if they are still encountering this.

@pypi pypi unlocked this conversation Mar 18, 2023
@demonguy
Copy link

demonguy commented Mar 29, 2023

@di I got the same issue here, cannot see the recaptcha on regsiter page.

BTW, my problem is slightly different here. I got proxy to access so websites outside of China. I can access Google Facebook and so on. And i can also see recaptcha on those websites.
when i open console of the browser, i didn't see any http status_code but the request failed because of csp

And i tried to disable CSP of chrome, and it works. I think that's some sort of security update?
my Chrome version: 111.0.5563.111

image

@miketheman
Copy link
Member

@demonguy thanks for the report, can you please provide more details on the specific blocked request? I’m looking for the full url the browser is attempting to load?
Clicking on the blocked line in the inspector ought to display more details. Also clicking on the Console tab should show an error detail as well.

@Teddy-van-Jerry
Copy link

Teddy-van-Jerry commented Mar 30, 2023

@demonguy Same situation and issue with you on Chrome. Recapture displays correctly on Safari. (When setting global proxy I can see Recapture on Chrome too, but with some latency.)

@SimFG
Copy link

SimFG commented Mar 31, 2023

Same situation, help!!!

@demonguy
Copy link

Here is the request jar saved from Chrome @miketheman

pypi.org.zip

@SimFG
Copy link

SimFG commented Mar 31, 2023

@demonguy has you registered a account

@demonguy
Copy link

demonguy commented Mar 31, 2023

@SimFG yeah. I download a Chrome plugin which disable csp on Chrome and i successfully registed an account

I think this is another problem? Maybe all latest Chrome users will have such issue?

@SimFG
Copy link

SimFG commented Mar 31, 2023

@demonguy which plugin, i need it. help help help

@miketheman
Copy link
Member

Here is the request jar saved from Chrome @miketheman

pypi.org.zip

Thanks, I'll investigate with these details - and think we have a path forward.

miketheman added a commit that referenced this issue Mar 31, 2023
Thanks to some extra debugging detaisl, we can see that the script
is being loaded via a different Google Static domain in China.

Refs: #3174, #13232, #13350

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman
Copy link
Member

Thanks for your details and patience!

@demonguy @Teddy-van-Jerry @SimFG I've shipped a change to the Content Security Policy we set as headers for the recaptcha - this directive helps by telling browsers what the authors of a website have decided which scripts to securely allow, and prevent unintended other scripts loading.

If you wouldn't mind deactivating the plugins that disable the CSP behavior and confirming that the recaptcha loads on registration page https://pypi.org/account/register/ so we can close this out?

@demonguy
Copy link

@miketheman it works now

@demonguy
Copy link

BTW, another url is blocked, but i think it doesn't matter

Request URL: https://media.ethicalads.io/media/client/v1.4.0/ethicalads.min.js
Referrer Policy: origin-when-cross-origin
Provisional headers are shown
Learn more
DNT: 1
Origin: https://pypi.org
Referer: https://pypi.org/
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

@miketheman
Copy link
Member

@demonguy Thanks - that's not being blocked by CSP - that might be another browser plugin like an Ad Blocker. It shouldn't have any negative impact on the operation of the site.

@miketheman
Copy link
Member

Now that this is confirmed as resolved again, I'll go ahead and lock this conversation to prevent unnecessary notifications to the 20ish folks on this issue.
If there are other captcha-related issues loading in China, please open a new issue (and reference this one for context).

@pypi pypi locked as resolved and limited conversation to collaborators Mar 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug 🐛 help needed We'd love volunteers to advise on or help fix/implement this.
Projects
None yet
Development

No branches or pull requests