Automattic · westi · Apr 1, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/client/blocks/login/utils/get-blackbox-session-id.js b/client/blocks/login/utils/get-blackbox-session-id.js
@@ -6,12 +6,29 @@
  * third-party script misbehaves — Blackbox must never block login.
  * @returns {Promise<string|undefined>} Session ID, or undefined on failure.
  */
+async function runBlackboxCollect() {
+	if ( ! window.Blackbox?.collect ) {
+		return;
+	}
+
+	try {
+		const out = window.Blackbox.collect();
+		if ( out && typeof out.then === 'function' ) {
+			await Promise.race( [ out, new Promise( ( resolve ) => setTimeout( resolve, 2000 ) ) ] );
+		}
+	} catch {
+		// Intentionally ignored — Blackbox must never block login.
+	}
+}
+
 export async function getBlackboxSessionId() {
 	if ( ! window.Blackbox?.getSessionId ) {
 		return undefined;
 	}
 
 	try {
+		await runBlackboxCollect();
+
 		const result = await Promise.race( [
 			window.Blackbox.getSessionId(),
 			new Promise( ( resolve ) => setTimeout( resolve, 2000 ) ),

diff --git a/client/blocks/login/utils/test/get-blackbox-session-id.js b/client/blocks/login/utils/test/get-blackbox-session-id.js
@@ -0,0 +1,62 @@
+/**
+ * @jest-environment jsdom
+ */
+import { getBlackboxSessionId } from '../get-blackbox-session-id';
+
+describe( 'getBlackboxSessionId', () => {
+	afterEach( () => {
+		delete window.Blackbox;
+	} );
+
+	test( 'calls collect before getSessionId when both exist', async () => {
+		const order = [];
+		window.Blackbox = {
+			collect: jest.fn( () => {
+				order.push( 'collect' );
+			} ),
+			getSessionId: jest.fn( () => {
+				order.push( 'getSessionId' );
+				return Promise.resolve( 'session-id' );
+			} ),
+		};
+
+		await expect( getBlackboxSessionId() ).resolves.toBe( 'session-id' );
+		expect( order ).toEqual( [ 'collect', 'getSessionId' ] );
+	} );
+
+	test( 'works when collect is missing', async () => {
+		window.Blackbox = {
+			getSessionId: jest.fn( () => Promise.resolve( 'session-id' ) ),
+		};
+
+		await expect( getBlackboxSessionId() ).resolves.toBe( 'session-id' );
+		expect( window.Blackbox.getSessionId ).toHaveBeenCalled();
+	} );
+
+	test( 'awaits async collect before getSessionId', async () => {
+		const order = [];
+		window.Blackbox = {
+			collect: jest.fn( () =>
+				Promise.resolve().then( () => {
+					order.push( 'collect' );
+				} )
+			),
+			getSessionId: jest.fn( () => {
+				order.push( 'getSessionId' );
+				return Promise.resolve( 'session-id' );
+			} ),
+		};
+
+		await expect( getBlackboxSessionId() ).resolves.toBe( 'session-id' );
+		expect( order ).toEqual( [ 'collect', 'getSessionId' ] );
+	} );
+
+	test( 'returns undefined when getSessionId is missing', async () => {
+		window.Blackbox = {
+			collect: jest.fn(),
+		};
+
+		await expect( getBlackboxSessionId() ).resolves.toBeUndefined();
+		expect( window.Blackbox.collect ).not.toHaveBeenCalled();
+	} );
+} );
diff --git a/client/document/index.jsx b/client/document/index.jsx
@@ -133,6 +133,13 @@ class Document extends Component {
 			}
 		}
 
+		const isBlackboxLoginEnabled =
+			sectionName === 'login' &&
+			config.isEnabled( 'blackbox-login' ) &&
+			config( 'blackbox_api_key' );
+		const blackboxChallengeRootId = 'blackbox-challenge-root';
+		const blackboxChallengeRootSelector = `#${ blackboxChallengeRootId }`;
+
 		return (
 			<html lang={ lang } dir={ isRTL ? 'rtl' : 'ltr' }>
 				<Head
@@ -173,6 +180,7 @@ class Document extends Component {
 							/>
 						</div>
 					) }
+					{ isBlackboxLoginEnabled && <div id={ blackboxChallengeRootId } /> }
 					{ renderedLayout ? (
 						<div
 							id="wpcom"
@@ -259,16 +267,15 @@ class Document extends Component {
 						/>
 					) }
 
-					{ sectionName === 'login' &&
-						config.isEnabled( 'blackbox-login' ) &&
-						config( 'blackbox_api_key' ) && (
-							<script
-								nonce={ inlineScriptNonce }
-								defer
-								src={ config( 'blackbox_url' ) }
-								data-apikey={ config( 'blackbox_api_key' ) }
-							/>
-						) }
+					{ isBlackboxLoginEnabled && (
+						<script
+							nonce={ inlineScriptNonce }
+							defer
+							src={ config( 'blackbox_url' ) }
+							data-apikey={ config( 'blackbox_api_key' ) }
+							data-challenge-container={ blackboxChallengeRootSelector }
+						/>
+					) }
 
 					{ entrypoint?.language?.manifest && (
 						<script nonce={ inlineScriptNonce } src={ entrypoint.language.manifest } />

@@ -138,5 +138,11 @@ declare global {
 		};
 		currentUser?: User;
 		__REDUX_DEVTOOLS_EXTENSION__?: () => void;
+		/** Blackbox-js bot detection (login); loaded from blackbox-api.wp.com. */
+		Blackbox?: {
+			collect?: () => unknown;
+			getSessionId?: () => Promise< unknown >;
+			reset?: () => void;
+		};
 	}
 }