[wp-trac] [WordPress Trac] #42948: Backbone client sending empty string in X-WP-Nonce header by default in some cases

WordPress Trac noreply at wordpress.org
Wed Dec 20 17:21:35 UTC 2017 

#42948: Backbone client sending empty string in X-WP-Nonce header by default in
some cases
--------------------------+-----------------------------
 Reporter:  FPCSJames     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  4.9.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 '''Environment'''

 I run several instances of "headless" WP 4.9.1, all with the same
 configuration and set of plugins. All are hosted in a fairly standard
 shared environment, running CloudLinux + cPanel; LiteSpeed and LSPHP are
 in use with PHP version 7.0.x (latest stable). These instances feed
 Backbone client deployments on other domains, which are loading the
 versions of jQuery, Underscore, Backbone, and the Backbone client (wp-
 api.js) as included in WP. No authentication is being performed as the
 script only fetches public posts.

 '''Issue/Steps'''

 One of these deployments started to fail to load single posts (collections
 continued to work fine). I set {{{Header add Access-Control-Allow-Headers
 "x-wp-nonce"}}} in .htaccess (which was never previously necessary, as my
 script does not send a nonce); this produced a 403 with error code
 {{{rest_cookie_invalid_nonce}}}. I eventually discovered that this was
 because an empty string was being sent in the X-WP-Nonce header.

 '''Possible source of issue'''

 [https://pastebin.com/1c8xMCH5 This function] appears at line 828 of wp-
 api.js as of 4.9.1. When the server sends a X-WP-Nonce header with a
 response, the base model will compare it with the existing value (which is
 either undefined or null) and if it doesn't match, set it. This is causing
 the empty string to be stored, and sent on subsequent requests.

 '''Workaround'''

 To work around this, I changed my code from:

 {{{
 data.model.on("sync", function() {
    data.view = new Views.SingleView({
       model: data.model
    });
    data.view.render()
 });
 }}}

 to

 {{{
 data.model.endpointModel.set('nonce', null);
 data.model.on("sync", function() {
    data.view = new Views.SingleView({
       model: data.model
    });
    data.view.render()
    data.model.endpointModel.set('nonce', null);
 });
 }}}

 thereby setting the nonce to null before and after each sync. It appears
 that, in wp-api.js, the line:

 {{{ if ( _.isFunction( model.nonce ) && ! _.isUndefined( model.nonce() )
 && ! _.isNull( model.nonce() ) ) { }}}

 should be modified to check if model.nonce() returns an empty string by
 adding {{{ && ! _.isBlank( model.nonce() ) }}} or chaning {{{_.isNull}}}
 to {{{_.isBlank}}}.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42948>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list