[wp-xmlrpc] WordPress.com images can't be loaded for "Private" blogs

Daniel Jalkut jalkut at red-sweater.com
Sun Dec 18 17:48:09 UTC 2011

Thanks, Danilo! Unfortunately this workaround still opens up access to the whole site though, right? I.e. there is no granularity to the cookie that you receive after logging in, even though you have specified a redirect link.

It's good to know you are using this workaround in the official apps, because it will make a good point of reference for discussing the possibility of a more secure solution.


On Dec 16, 2011, at 4:14 AM, Danilo Ercoli wrote:

> Hi Daniel,
> If the post is already published you can use the WordPress login form
> with the redirect_to parameter set to the permaLink of the post.
> WordPress for ( BlackBerry | iOS | webOS | Android ) already use this
> "workaround" to access the preview of private and draft posts.
> Danilo.
> 2011/12/15 Daniel Jalkut <jalkut at red-sweater.com>:
>> I think this only applies to WordPress.com blogs, which makes it a little tougher for me to thoroughly investigate and figure out what all the options are, but I wanted to raise the question here as I know this list has a readership that spans both the .org and .com developer communities.
>> A WordPress.com customer observed an awkward behavior in MarsEdit when editing a post from a private blog: although MarsEdit is able to authenticate and download, via the XMLRPC API, the content of the post for editing, any referenced images fail to load because they are loaded outside the scope of the API, and because no "logged in" cookie is set when you connect via the API.
>> I can imagine WordPress doesn't want to open up to the security risks of setting the LOGGED_IN_COOKIE on behalf of any authenticated XMLRPC request, but I want to raise a question about related content from posts, and how access to them might be opened up for API clients:
>> Would it make sense to introduce a new cookie, like READ_ACCESS_COOKIE, or something, that gives a client the privilege to access content over HTTP as if they were logged in, but doesn't give any further credentials to e.g. manipulate the blog via wp-admin URLs? If any authenticated XMLRPC request issued a READ_ACCESS_COOKIE, then clients such as MarsEdit could perpetuate that cookie in any requests for referenced resources, such as images.
>> Currently the ugly workaround from my end would be to simulate a web admin login (since the credentials are the same), to get a LOGGED_IN_COOKIE that I could use for the image requests. This is something I could do carefully to avoid any security compromise, but obviously it would be better to keep the user's blog as secure as possible by sticking to the appropriate API.
>> Thanks for your consideration of this issue and how it might be best addressed on WordPress.com and possibly in future updates of the open source product.
>> Daniel
>> _______________________________________________
>> wp-xmlrpc mailing list
>> wp-xmlrpc at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-xmlrpc
> -- 
> Danilo Ercoli
> http://about.me/daniloercoli
> Mobile +39 349-3126350
> Email: ercoli at gmail.com
> Skype: danilo.ercoli
> Twitter: daniloercoli
> ------------------------------------
> _______________________________________________
> wp-xmlrpc mailing list
> wp-xmlrpc at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-xmlrpc

More information about the wp-xmlrpc mailing list