[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers

WordPress Trac wp-trac at lists.automattic.com
Sat Apr 22 23:11:45 GMT 2006


#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
       Id:  2678            |      Status:  new                     
Component:  Administration  |    Modified:  Sat Apr 22 23:11:45 2006
 Severity:  normal          |   Milestone:                          
 Priority:  normal          |     Version:  2.1                     
    Owner:  anonymous       |    Reporter:  ringmaster              
----------------------------+-----------------------------------------------
Comment (by ryan):

 Looking good to me.  Another +1 for making create and verify pluggable.

 To ease transition for plugins, especially if this goes into 2.0.3, can we
 fallback to the old referrer check if an action is not specified?  If an
 action is specified, we would insist on a nonce and only a nonce since
 this safeguards untrusted links present on an admin page by requiring
 confirmation.  All checks in WP itself would specify an action, of course.
 Only old plugins would use the less secure fallback-to-referrer method.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list