I’m working on a local javascript application that interact with a server in ajax and I want to securize my creation form with hcaptcha.
<script src='https://js.hcaptcha.com/1/api.js' async defer></script>
<h2>Create an account</h2>
<form class="create-account" method="post">
...
<div class="h-captcha" data-sitekey="..."></div>
<p><button type="submit">Create account</button></p>
</form>
I got javascript errors:
TypeError: ke.data.kernel.save.user_init is not a function
SecurityError: Permission denied to access property "document" on cross-origin object
And query is invalid
curl 'https://hcaptcha.com/checksiteconfig?v=..&host=&sitekey=...&sc=1&swa=1'
return 403 Invalid Data
Because of it’s a local app, there is no host.
Is there a way to use hcaptcha in a local app ?
2
Answers
It seems that it is not possible, because hcaptcha use iframe that are forbidden in a local app.
I manage to use another solution.
Often to do this kind of thing you need to set up local network traffic redirect rules, which isn’t too difficult. However, unlike in your example, you will need to be running a local server – something like Node. After that, you can spoof a remote host and have it redirect local requests headed for the remote host to your local server instead. Usually you have to do one extra redirect since port 80 is already in use (also helpful if remote host does any redirecting, e.g. OpenID auth redirects, etc).
example(s) below will cause traffic to be redirected as follows:
myhost.com:80
->127.55.55.55:80
->127.0.0.1:8080
WINDOWS
Note: steps must be executed with Admin rights
http://127.0.0.1:8080
).127.0.0.0/8
that’s not in use (our example uses127.55.55.55:80
).netstat -aonp TCP | findstr "LISTENING"
shows addresses that ARE in use. Use an IP other than one of these.C:WindowsSystem32driversetchosts
).{local ip} {host}
-> e.g.127.55.55.55 myhost.com
netsh
command utility:netsh interface portproxy add v4tov4 listenport=80 listenaddress=127.55.55.55 connectport=8080 connectaddress=127.0.0.1
.myhost.com
. You should see output from your local server, and (hopefully) you’ve tricked hCaptcha restrictions!Notes:
netsh
portproxy needs ipv6 libraries even when using v4tov4. If not already installed, runnetsh interface ipv6 install
.netsh
entries withnetsh interface portproxy show v4tov4
netsh interface portproxy delete v4tov4 listenport=80 listenaddress=127.55.55.55