[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers
WordPress Trac
wp-trac at lists.automattic.com
Sat Apr 22 23:11:45 GMT 2006
#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
Id: 2678 | Status: new
Component: Administration | Modified: Sat Apr 22 23:11:45 2006
Severity: normal | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: ringmaster
----------------------------+-----------------------------------------------
Comment (by ryan):
Looking good to me. Another +1 for making create and verify pluggable.
To ease transition for plugins, especially if this goes into 2.0.3, can we
fallback to the old referrer check if an action is not specified? If an
action is specified, we would insist on a nonce and only a nonce since
this safeguards untrusted links present on an admin page by requiring
confirmation. All checks in WP itself would specify an action, of course.
Only old plugins would use the less secure fallback-to-referrer method.
--
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list