[wp-xmlrpc] WordPress.com images can't be loaded for "Private" blogs

Joseph Scott joseph at josephscott.org
Thu Dec 15 20:46:01 UTC 2011

I think you could reproduce this using a WordPress.org install with
network feature enabled.

A read only cookie could be a reasonable option.  For a private site
though, even read only access could be dangerous (exposing data they
don't want exposed).  The weekly dev chat may be a good place to bring
this up, see what the core devs think of it.

On Thu, Dec 15, 2011 at 11:43 AM, Daniel Jalkut <jalkut at red-sweater.com> wrote:
> I think this only applies to WordPress.com blogs, which makes it a little tougher for me to thoroughly investigate and figure out what all the options are, but I wanted to raise the question here as I know this list has a readership that spans both the .org and .com developer communities.
> A WordPress.com customer observed an awkward behavior in MarsEdit when editing a post from a private blog: although MarsEdit is able to authenticate and download, via the XMLRPC API, the content of the post for editing, any referenced images fail to load because they are loaded outside the scope of the API, and because no "logged in" cookie is set when you connect via the API.
> I can imagine WordPress doesn't want to open up to the security risks of setting the LOGGED_IN_COOKIE on behalf of any authenticated XMLRPC request, but I want to raise a question about related content from posts, and how access to them might be opened up for API clients:
> Would it make sense to introduce a new cookie, like READ_ACCESS_COOKIE, or something, that gives a client the privilege to access content over HTTP as if they were logged in, but doesn't give any further credentials to e.g. manipulate the blog via wp-admin URLs? If any authenticated XMLRPC request issued a READ_ACCESS_COOKIE, then clients such as MarsEdit could perpetuate that cookie in any requests for referenced resources, such as images.
> Currently the ugly workaround from my end would be to simulate a web admin login (since the credentials are the same), to get a LOGGED_IN_COOKIE that I could use for the image requests. This is something I could do carefully to avoid any security compromise, but obviously it would be better to keep the user's blog as secure as possible by sticking to the appropriate API.
> Thanks for your consideration of this issue and how it might be best addressed on WordPress.com and possibly in future updates of the open source product.
> Daniel
> _______________________________________________
> wp-xmlrpc mailing list
> wp-xmlrpc at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-xmlrpc

Joseph Scott
joseph at josephscott.org

More information about the wp-xmlrpc mailing list