January 11, 2022, 10:33pm
Browser A: Vivaldi 5.0.2497.35 (Stable channel) (64-bit)
Browser B: Firefox 96.0 (64-bit)
OS: Windows 11 Version 21H2 (Build 22000.376)
Get moderated (i.e banned) and remain logged into that account
Wait until your X-XSRF-TOKEN expires
Attempt to complete and submit, completing captcha successfully
I expect the X-XSRF-TOKEN to correctly generate and submit my support request
User gets stuck in a captcha loop because they cannot generate the XSRF token required to submit due to being moderated.
Submit again while logged out
Issue Area: Roblox Website
Page URL: Support - Roblox
Frequency: Very Rarely
Date First Experienced: 2022-01-11 22:01:00 (+00:00)
I am having trouble reproducing this issue. Which URL are you seeing return the 403 status code, that is resulting in the captcha loop?
January 12, 2022, 9:25am
This was on the support form page. Just to make sure, are you testing on a moderated account?
January 12, 2022, 2:01pm
I don’t believe the CSRF token is the issue here. Moderated accounts just simply get 403s on many endpoints intentionally, excluding a few like usermoderation (for getting their current moderation status/ban reason/etc).
By the way, the actual header name is
X-CSRF-Token, and it usually doesn’t cause a captcha when it’s invalid - it usually comes before the captcha.
I think the actual “bug” here is that support requests are included in the pool of requests that are blocked when your account is moderated. Maybe you could rephrase this as “cannot submit support requests on a moderated account”
January 12, 2022, 2:23pm
For whatever reason, it’s fine when I appealed immediately but a capcha loop the day after. The only thing that gave any clue was that the crsf printed an object as shown in the original post.
You can’t edit a bug report title after the fact so idk
January 12, 2022, 2:25pm
X-CSRF-Token usually expires within minutes and not days, so I’m not totally sure why that happened.
Where is it printing an object? I don’t know what you mean by that.
January 12, 2022, 2:30pm
In the (web) developer console.
I’m not quite sure what happened, I cannot replicate this bug (not banned) again.
It seems like the sort of thing that might have been missed and may deeply annoy end users.
January 12, 2022, 4:02pm
Could you explain what the screenshot in your post is? I assumed that this was your own request you had sent.
Yes, I tested while logged in to a permanently banned account. I was able to fill out the captcha and submit the report form and got an email confirmation.