Add resource hints for reCAPTCHA (#10616)

* Add resource hints for reCAPTCHA

changelog: Internal, Spam Mitigation, Add resource hints to improve load speed for reCAPTCHA

* Remove redundant chomp

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

---------

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>

app/controllers/concerns/recaptcha_concern.rb

@@ -11,6 +11,14 @@ module RecaptchaConcern
     'https://recaptcha.google.com/recaptcha/',
   ].freeze
 
+  def add_recaptcha_resource_hints
+    response.headers['Link'] = [
+      response.headers['Link'],
+      '<https://www.google.com>;rel=preconnect',
+      '<https://www.gstatic.com>;rel=preconnect;crossorigin',
+    ].compact.join(',')
+  end
+
   def allow_csp_recaptcha_src
     policy = current_content_security_policy
     policy.script_src(*policy.script_src, *RECAPTCHA_SCRIPT_SRC)

app/controllers/users/phone_setup_controller.rb

@@ -16,6 +16,8 @@ class PhoneSetupController < ApplicationController
     before_action :confirm_recently_authenticated_2fa
     before_action :check_max_phone_numbers_per_account, only: %i[index create]
 
+    after_action :add_recaptcha_resource_hints, if: :recaptcha_enabled?
+
     helper_method :in_multi_mfa_selection_flow?
 
     def index

spec/controllers/concerns/recaptcha_concern_spec.rb

@@ -1,17 +1,17 @@
 require 'rails_helper'
 
 RSpec.describe RecaptchaConcern, type: :controller do
-  controller ApplicationController do
-    include RecaptchaConcern
+  describe '#allow_csp_recaptcha_src' do
+    controller ApplicationController do
+      include RecaptchaConcern
 
-    before_action :allow_csp_recaptcha_src
+      before_action :allow_csp_recaptcha_src
 
-    def index
-      render plain: ''
+      def index
+        render plain: ''
+      end
     end
-  end
 
-  describe '#allow_csp_recaptcha_src' do
     it 'overrides csp to add directives for recaptcha' do
       get :index
 
@@ -20,4 +20,52 @@ def index
       expect(csp.frame_src).to include(*RecaptchaConcern::RECAPTCHA_FRAME_SRC)
     end
   end
+
+  describe '#add_recaptcha_resource_hints' do
+    controller ApplicationController do
+      include RecaptchaConcern
+
+      after_action :add_recaptcha_resource_hints
+
+      def index
+        if params[:add_link]
+          response.headers['Link'] = '<https://example.com>;rel=preconnect'
+        end
+
+        render plain: ''
+      end
+    end
+
+    subject(:response) { get :index }
+    let(:processed_links) do
+      response.headers['Link'].split(',').map { |link| link.split(';').map(&:chomp) }
+    end
+
+    it 'adds resource hints for recaptcha to response headers' do
+      response
+
+      expect(processed_links).to match_array(
+        [
+          ['<https://www.google.com>', 'rel=preconnect'],
+          ['<https://www.gstatic.com>', 'rel=preconnect', 'crossorigin'],
+        ],
+      )
+    end
+
+    context 'with existing link header' do
+      subject(:response) { get :index, params: { add_link: '' } }
+
+      it 'appends new resource hints' do
+        response
+
+        expect(processed_links).to match_array(
+          [
+            ['<https://example.com>', 'rel=preconnect'],
+            ['<https://www.google.com>', 'rel=preconnect'],
+            ['<https://www.gstatic.com>', 'rel=preconnect', 'crossorigin'],
+          ],
+        )
+      end
+    end
+  end
 end

spec/controllers/users/phone_setup_controller_spec.rb

@@ -292,4 +292,26 @@
       end
     end
   end
+
+  describe 'after actions' do
+    before { stub_sign_in }
+
+    it 'does not add recaptcha resource hints' do
+      expect(subject).not_to receive(:add_recaptcha_resource_hints)
+
+      get :index
+    end
+
+    context 'recaptcha enabled' do
+      before do
+        allow(FeatureManagement).to receive(:phone_recaptcha_enabled?).and_return(true)
+      end
+
+      it 'adds recaptcha resource hints' do
+        expect(subject).to receive(:add_recaptcha_resource_hints)
+
+        get :index
+      end
+    end
+  end
 end