[wp-xmlrpc] WordPress.com images can't be loaded for "Private" blogs

[Daniel Jalkut]

I think this only applies to WordPress.com blogs, which makes it a little tougher for me to thoroughly investigate and figure out what all the options are, but I wanted to raise the question here as I know this list has a readership that spans both the .org and .com developer communities.

A WordPress.com customer observed an awkward behavior in MarsEdit when editing a post from a private blog: although MarsEdit is able to authenticate and download, via the XMLRPC API, the content of the post for editing, any referenced images fail to load because they are loaded outside the scope of the API, and because no "logged in" cookie is set when you connect via the API.

I can imagine WordPress doesn't want to open up to the security risks of setting the LOGGED_IN_COOKIE on behalf of any authenticated XMLRPC request, but I want to raise a question about related content from posts, and how access to them might be opened up for API clients:

Would it make sense to introduce a new cookie, like READ_ACCESS_COOKIE, or something, that gives a client the privilege to access content over HTTP as if they were logged in, but doesn't give any further credentials to e.g. manipulate the blog via wp-admin URLs? If any authenticated XMLRPC request issued a READ_ACCESS_COOKIE, then clients such as MarsEdit could perpetuate that cookie in any requests for referenced resources, such as images.

Currently the ugly workaround from my end would be to simulate a web admin login (since the credentials are the same), to get a LOGGED_IN_COOKIE that I could use for the image requests. This is something I could do carefully to avoid any security compromise, but obviously it would be better to keep the user's blog as secure as possible by sticking to the appropriate API.

Thanks for your consideration of this issue and how it might be best addressed on WordPress.com and possibly in future updates of the open source product.

Daniel