[Standards] CAPTCHAs in registration forms

Peter Saint-Andre stpeter at stpeter.im
Thu May 8 20:27:24 UTC 2008

On 05/06/2008 4:33 PM, Gaston Dombiak wrote:
> Hey Peter,
> XEP-4 defines a few field types. I think that we should create a new
> field type for media objects so that clients could render it
> appropriately.

I take that as a +1 for XEP-0221, not as a vote for defining a new field
type in XEP-0004. Or do I misunderstand you?

> I like the media element that you included in the data form. I think
> that servers may choose to include the image itself in the form field
> or provide a URI to get it.

Right, that's the idea.

> I think I would expect the completed form to include a reply to the
> media field. In this case it would include the CAPTCHA value. Another
> choice, would be to just use the media field as a read-only field and
> then have another text field where the user could enter his CAPTCHA
> value.
> Am I missing something here?

No, you're not. That is not clear enough in XEP-0158.

The flow is something like this (see Example 2 and Example 4).

<message from='victim.com'
    to='robot at spimmer.com/zombie'
  <challenge xmlns='urn:xmpp:tmp:challenge'>
    <x xmlns='jabber:x:data' type='form'>
      [ ... ]
      <field var='ocr'>
        <media xmlns='xmlns='urn:xmpp:tmp:media-element'
          <uri type='image/jpeg'>
          <data xmlns='urn:xmpp:tmp:data-element'
                type='image/jpeg'> ** Base64 encoded image ** </data>
      [ ... ]

Then the reply is like this:

<iq type='set'
    from='robot at spimmer.com/zombie'
  <challenge xmlns='urn:xmpp:tmp:challenge'>
    <x xmlns='jabber:x:data' type='submit'>
      [ ... ]
      <field var='ocr'><value>7nHL3</value></field>
      [ ... ]

Now maybe this is a bit of a fudge. The "ocr" field in the challenge
form is implicitly of type "text-single" (since that is the default),
*but* it contains a media element. Now when the sender responds to the
challenge with a submitted form, he includes an "ocr" field that is of
type "text-single", but now it contains a <value/> element just like a
normal text-single field. So perhaps that is a bit sneaky, eh? What if
the submitted form includes media, too (e.g., audio recognition)? I
don't know if such a scenario is valid, but I see no reason to outlaw
media elements in submitted forms. And then how does the submitter know
if that's acceptable?



Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080508/e3fee4ec/attachment.bin>

More information about the Standards mailing list