On Thu, 14 Mar 2013 12:55:16 -0700, Brion Vibber <bvibber@wikimedia.org> wrote:

Text captchas will have a 'question' subfield to be presented; image
captchas will have a 'url' field which should be loaded as the image.
'type' and 'mime' will vary, and probably shouldn't be used too closely.

Some captchas (iirc ReCaptcha) won't give you easy access to the image. And this plan won't be compatible with the variety of new captcha types like the KittenAuth-like category of CAPTCHAs.
Differentiating between the types just to support text CAPTCHAs (which are really the easiest CAPTCHAs to break) also sounds unfortunate.

I should point out that I haven't invented this just now; this system has been in place for at least a couple of years for action=edit and action=login.

We might just have to do something that outputs a blob of html or a url to a html document (either perhaps as a frame url or a url to fetch the blob of html from).

*nod*

Let's make it a URL if possible; that can be exposed as an iframe in web apps or a web view of some kind for native apps, without exposing HTML injection.

If we get all the captcha plugins retrofitted it'd be great to document the system better for bot & client tool authors. :)

-- brion