I ran into this and I didn’t expect it.
For private reasons I am using a VPN and I block all non-essential JS.
I was trying to log into drupal.org after several months of inativity.
My goal was to answer an issue I created.
Trying to do this I was made to complete a catpcha-challenge which required me to load Alphabets JS for completion of the captcha-challenge.
I understand why this is the case, and for legitamite reasons I do not mind, but prior to logging in, blocking all access to the site once you tried to access the login-page.
You can wait until the client logs in and then based on the number of posts they created in a given timeframe, rating, etc. you can supply this Captcha-challenge, after you know who is logging in. All good and well but doing this prior to anything is just distasteful IMHO.
After all, Bots only do harm if they can post content.
drupal.org is publicly accessible so bots may index it.
If binding of resources is of concern, there is rate-limiting.
So the question, why I am ranting about here is:
What is the explanation for this behaviour and how is it justified?