[wp-trac] [WordPress Trac] #24447: Avoid losing data after nonces expire
WordPress Trac
noreply at wordpress.org
Wed Jun 5 22:42:40 UTC 2013
#24447: Avoid losing data after nonces expire
----------------------------+------------------
Reporter: azaozz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: |
----------------------------+------------------
Comment (by johnbillion):
A few of us were discussing this in `#wordpress-dev` after the meeting
tonight.
We could fetch a new nonce via an AJAX call that authenticates the user
and returns a nonce value for the required action(s). Currently this
happens [http://core.trac.wordpress.org/browser/tags/3.5.1/wp-
admin/includes/ajax-actions.php#L1100 during autosave] but you only get a
new nonce if your current one is within the expiry period (12-24 hours).
The current autosave nonce needs to be checked here to verify intent to
make an autosave, but the other nonces don't need to be verified.
Authentication is enough.
We should generate new nonces for `update_post`, autosave, and whatever
others there are (metaboxes etc). The autosave then fires again
immediately with the new autosave nonce.
Thoughts? Does this inadvertently circumvent the autosave intent? I don't
think it does. It's no different to requesting the edit screen and
grabbing the nonce out of the HTML.
Thoughts?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24447#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list