wp-smart-honeypot icon indicating copy to clipboard operation
wp-smart-honeypot copied to clipboard

Published 20 hours ago verified publisher icon freak3dot

Bulletproofing accessibility

Open cferdinandi opened this issue 8 years ago • 2 comments

Currently, you're using some lightweight JS to remove the honeypot for human users. I see a couple of potential issues with the current implementation:

  1. Some bots can and do run JS.
  2. If JavaScript fails, the honeypot remains.
  3. If CSS fails, too, the honeypot is exposed, but there's nothing indicating to humans that they shouldn't fill it out.

I understand this is a crazy edge case, but one recommended approach you could take is to remove the JS bit that removes the honeypot, so that the honeypot field is always displayed. Then, apply a label to the honeypot that says something like, "If you're human, leave this blank."

If this sounds interesting and you'd like me to take a crack at it, let me know and I'll issue a PR.

cferdinandi avatar Mar 24 '16 00:03 cferdinandi

I agree that there are issues with the current method. My concern would be that any indicator could also server as a flag to a bot.

  • Perhaps a random css class? ** Include it in the head of the document so it isn't close enough to the honeypot for bot to pick out.
  • Current JS solution would remain.

freak3dot avatar Mar 24 '16 13:03 freak3dot

My concern would be that any indicator could also server as a flag to a bot.

I shared that concern, but from my reading, this seems to maybe not matter as much? I'm by no means an expert on this, though, so whatever you think makes the most sense.

cferdinandi avatar Mar 24 '16 13:03 cferdinandi