[wp-trac] [WordPress Trac] #37569: REST API: refresh expired nonces
WordPress Trac
noreply at wordpress.org
Tue Oct 17 14:22:27 UTC 2017
#37569: REST API: refresh expired nonces
-----------------------------------------------+---------------------------
Reporter: iseulde | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future
Component: REST API | Release
Severity: normal | Version: 4.4
Keywords: needs-docs dev-feedback has-patch | Resolution:
| Focuses:
-----------------------------------------------+---------------------------
Comment (by iseulde):
See
https://github.com/WordPress/gutenberg/pull/3006#issuecomment-337241027.
We wouldn't require anything. It's the same mechanism as a page refresh,
which checks if the user is still logged in and has the right capabilities
to otherwise get the nonce on first page load. It's like requesting the
the same page in JS and then parsing the right nonce out of it*. :) May be
a good idea to pass by other security team members, but as far as I see,
this is no problem.
As of https://github.com/WordPress/gutenberg/pull/2790, we're already
doing it without requiring anything.
*
{{{
fetch( http://wordpress.test/wp-admin/admin.php?page=gutenberg-demo,
{credentials: "same-origin"})
}}}
would return:
{{{
<!DOCTYPE html>
/* ... */
<script type='text/javascript'>
var wpApiSettings = {"root":"http:\/\/wordpress.test\/wp-
json\/","nonce":"...","versionString":"wp\/v2\/"};
</script>
/* ... */
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37569#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list