-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Honeypot against Bot registrations #4970
Conversation
… form field "username" must not be filled
Thanks for offering this PR @nesges, A couple of questions:
|
The class name Will gladly look into the Test cases and add some to RegistrationTest. However, I'm just getting ready to go on vacation and not sure if I can do it at short notice |
@nesges thanks for confirming on the class name.
Okay, don't add stress before your vacation then, I can throw these in during testing/review. |
That's kind of you, thanks! :-) |
Also cleaned up old RegistrationController syntax. Review of #4970
This PR introduces a form-field named "username" to the registration form. This field must not be filled, but it acts as a honeypot for bots. If it is filled the Validator of RegisterController would invalidate a registration attempt. To the human viewer the honeypot is made invisible through css.
The CSS deliberately omits
display:none
because it can be assumed that bots would easily recognize this. Instead it used a similar CSS like Bootstraps visually-hidden class.Caveat: To ensure that the form remains accessible, aria-hidden=true is used to tell screenreaders to ignore the honeypot. Bots may be programmed intelligently enough to recognize the attribute and ignore the field. But I do think that accessibility comes first and I haven't seen a bot that recognizes aria-hidden yet