Bulletproofing accessibility

[cferdinandi]

Currently, you're using some lightweight JS to remove the honeypot for human users. I see a couple of potential issues with the current implementation:

1. Some bots can and do run JS.
2. If JavaScript fails, the honeypot remains.
3. If CSS fails, too, the honeypot is exposed, but there's nothing indicating to humans that they shouldn't fill it out.

I understand this is a crazy edge case, but one recommended approach you could take is to remove the JS bit that removes the honeypot, so that the honeypot field is always displayed. Then, apply a label to the honeypot that says something like, "If you're human, leave this blank."

If this sounds interesting and you'd like me to take a crack at it, let me know and I'll issue a PR.

[freak3dot]

I agree that there are issues with the current method. My concern would be that any indicator could also server as a flag to a bot.

• Perhaps a random css class?
  ** Include it in the head of the document so it isn't close enough to the honeypot for bot to pick out.
• Current JS solution would remain.

[cferdinandi]

My concern would be that any indicator could also server as a flag to a bot.

I shared that concern, but from my reading, this seems to maybe not matter as much? I'm by no means an expert on this, though, so whatever you think makes the most sense.