[wp-hackers] Rethinking check_admin_referer()

[Owen Winkler]

Ryan Boren wrote:
> Matt Mullenweg wrote:
>> Our first and best line of defense is always going to be around how we 
>> filter and display submitted HTML. This can also be easily tightened 
>> up without compromising the user experience.
> 
> The sole benefit, as I see it, of a nonce/key is to avoid the user 
> experience problems created by refer[r]er checks.  I certainly get tired 
> of answering the, "Help, how do I enable sending referrers"  questions. 
>   It is definitely a bar to entry for many.  Assuming equivalent 
> "security", which method means less support overhead and better user 
> experience?

Yes, the current message when the referer check fails is very ugly.  Can 
we get away with only replacing this message with a confirmation?  Is 
that possible?

If that's the case then clicking on nearly any link in the admin from a 
browser that doesn't provide a referer will produce that confirmation 
message.  I suppose being able to click through confirmations on every 
other page is more functional than the current die().

Or, we can replace the whole mess with nonces, which will work similarly 
to the referer checks for browsers that supported that, and will allow 
non-supporting browsers to skip over those confirmations (or see only 
one, instead of one for every admin page view).  If done well, it can 
also add a bit more security than the current referer check provides, 
since it will verify based on the intended action, not just whether the 
last page viewed was an admin page.

In terms of decreasing required support and improving user experience, 
nonces are the way to go.  They remove the entire issue of explaining 
why it might not be possible to enable referers in browsers that don't 
support it or are behind a proxy or firewall.

Owen