[wp-hackers] Rethinking check_admin_referer()
Owen Winkler
ringmaster at midnightcircus.com
Wed Apr 19 13:18:45 GMT 2006
Ryan Boren wrote:
> Matt Mullenweg wrote:
>> Our first and best line of defense is always going to be around how we
>> filter and display submitted HTML. This can also be easily tightened
>> up without compromising the user experience.
>
> The sole benefit, as I see it, of a nonce/key is to avoid the user
> experience problems created by refer[r]er checks. I certainly get tired
> of answering the, "Help, how do I enable sending referrers" questions.
> It is definitely a bar to entry for many. Assuming equivalent
> "security", which method means less support overhead and better user
> experience?
Yes, the current message when the referer check fails is very ugly. Can
we get away with only replacing this message with a confirmation? Is
that possible?
If that's the case then clicking on nearly any link in the admin from a
browser that doesn't provide a referer will produce that confirmation
message. I suppose being able to click through confirmations on every
other page is more functional than the current die().
Or, we can replace the whole mess with nonces, which will work similarly
to the referer checks for browsers that supported that, and will allow
non-supporting browsers to skip over those confirmations (or see only
one, instead of one for every admin page view). If done well, it can
also add a bit more security than the current referer check provides,
since it will verify based on the intended action, not just whether the
last page viewed was an admin page.
In terms of decreasing required support and improving user experience,
nonces are the way to go. They remove the entire issue of explaining
why it might not be possible to enable referers in browsers that don't
support it or are behind a proxy or firewall.
Owen
More information about the wp-hackers
mailing list