Merge pull request #15171 from schlawg/hcaptcha-credentialless

targeted hcaptcha credentialless

app/views/auth/bits.scala

@@ -36,7 +36,7 @@ object bits:
     views.base.layout(
       title = trans.site.passwordReset.txt(),
       moreCss = cssTag("auth"),
-      moreJs = hcaptchaScript(form),
+      modules = hcaptchaScript(form),
       csp = defaultCsp.withHcaptcha.some
     ):
       main(cls := "auth auth-signup box box-pad")(
@@ -104,7 +104,7 @@ object bits:
     views.base.layout(
       title = "Log in by email",
       moreCss = cssTag("auth"),
-      moreJs = hcaptchaScript(form),
+      modules = hcaptchaScript(form),
       csp = defaultCsp.withHcaptcha.some
     ):
       main(cls := "auth auth-signup box box-pad")(

app/views/auth/signup.scala

@@ -10,8 +10,8 @@ object signup:
   def apply(form: lila.core.security.HcaptchaForm[?])(using ctx: PageContext) =
     views.base.layout(
       title = trans.site.signUp.txt(),
-      modules = jsModuleInit("bits.login", "signup"),
-      moreJs = frag(hcaptchaScript(form), fingerprintTag),
+      modules = jsModuleInit("bits.login", "signup") ++ hcaptchaScript(form),
+      moreJs = frag(fingerprintTag),
       moreCss = cssTag("auth"),
       csp = defaultCsp.withHcaptcha.some,
       withHrefLangs = lila.ui.LangPath(routes.Auth.signup).some

modules/clas/src/main/ui/ClasPages.scala

@@ -84,7 +84,7 @@ final class ClasPages(helpers: Helpers, clasUi: ClasUi, dashUi: DashboardUi):
 
   def create(form: lila.core.security.HcaptchaForm[ClasForm.ClasData])(using Context) =
     ClasPage(trans.clas.newClass.txt(), Right("newClass"))(cls := "box-pad")
-      .iife(hcaptchaScript(form))
+      .js(hcaptchaScript(form))
       .csp(_.withHcaptcha):
         frag(
           h1(cls := "box__top")(trans.clas.newClass()),

modules/pref/src/main/ui/AccountPages.scala

@@ -227,7 +227,7 @@ final class AccountPages(helpers: Helpers, ui: AccountUi, flagApi: lila.core.use
     def form(form: lila.core.security.HcaptchaForm[?], error: Option[String] = None)(using ctx: Context) =
       Page(trans.site.reopenYourAccount.txt())
         .cssTag("auth")
-        .iife(hcaptchaScript(form))
+        .js(hcaptchaScript(form))
         .csp(_.withHcaptcha):
           main(cls := "page-small box box-pad")(
             h1(cls := "box__top")(trans.site.reopenYourAccount()),

modules/ui/src/main/helper/AssetHelper.scala

@@ -65,7 +65,7 @@ trait AssetHelper:
 
   def flairSrc(flair: Flair): String = staticAssetUrl(s"$flairVersion/flair/img/$flair.webp")
 
-  def hcaptchaScript(re: lila.core.security.HcaptchaForm[?]): Option[RawFrag] =
-    re.enabled.option(raw("""<script src="https://hcaptcha.com/1/api.js" async defer></script>"""))
+  def hcaptchaScript(re: lila.core.security.HcaptchaForm[?]): EsmList =
+    re.enabled.so(jsModuleInit("bits.hcaptcha"))
 
   def analyseNvuiTag(using ctx: Context) = ctx.blind.option(EsmInit("analyse.nvui"))

ui/bits/package.json

@@ -59,6 +59,7 @@
       "src/bits.flatpickr.ts",
       "src/bits.forum.ts",
       "src/bits.gameSearch.ts",
+      "src/bits.hcaptcha.ts",
       "src/bits.infiniteScroll.ts",
       "src/bits.login.ts",
       "src/bits.lpv.ts",

ui/bits/src/bits.hcaptcha.ts

@@ -0,0 +1,19 @@
+export function initModule() {
+  const script = document.createElement('script');
+  script.src = 'https://hcaptcha.com/1/api.js';
+
+  if ('credentialless' in window && window.crossOriginIsolated) {
+    const documentCreateElement = document.createElement;
+    script.src = 'https://hcaptcha.com/1/api.js?onload=initHcaptcha';
+    script.onload = () => {
+      document.createElement = function () {
+        const element = documentCreateElement.apply(this, arguments as any);
+        if (element instanceof HTMLIFrameElement) element.setAttribute('credentialless', '');
+        return element;
+      };
+    };
+    (window as any).initHcaptcha = () => (document.createElement = documentCreateElement);
+  }
+
+  document.head.appendChild(script);
+}