[wp-hackers] Rethinking check_admin_referer()
Ryan Boren
ryan at boren.nu
Wed Apr 19 05:40:00 GMT 2006
Matt Mullenweg wrote:
> Our first and best line of defense is always going to be around how we
> filter and display submitted HTML. This can also be easily tightened up
> without compromising the user experience.
The sole benefit, as I see it, of a nonce/key is to avoid the user
experience problems created by refer[r]er checks. I certainly get tired
of answering the, "Help, how do I enable sending referrers" questions.
It is definitely a bar to entry for many. Assuming equivalent
"security", which method means less support overhead and better user
experience?
Ryan
More information about the wp-hackers
mailing list