[wp-trac] [WordPress Trac] #23295: Improved login expiration warning
WordPress Trac
noreply at wordpress.org
Sun Mar 17 00:05:16 UTC 2013
#23295: Improved login expiration warning
-------------------------------------------------+------------------
Reporter: mintindeed | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 3.6
Component: Autosave | Version:
Severity: normal | Resolution:
Keywords: autosave-redo has-patch ui-feedback |
-------------------------------------------------+------------------
Comment (by azaozz):
Been thinking how to organize this code better. This dialog is shown very
rarely, it's not warranted loading the html, css and js on all screens all
the time. Currently most of it is sent through heartbeat and injected into
the DOM. This is acceptable for testing but not a good idea for
production.
Another big concern is that there may be "frame busting" JS on the Log In
screen added by a plugin as defence against click-jacking. These JS
snippets were quite popular couple of years ago, still see them around
although they are not very effective. If that happens, the Log In screen
will open instead of the iframe and the user will loose any unsaved
changes (and our "You will not move away from this screen" looks really
silly).
To work around that we can use an XHR instead of having an iframe (XHRs
can be used to set cookies). Another technique is to create an iframe then
submit a <form> with `target="iframe-name"`. In this case the main page is
not reloaded and cookies are set as usual. The only problem with these
approaches is that if there is branding on the Log In screen, it will have
to be applied to the "local" log in form, i.e. some themes and/or plugins
would need to be updated.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23295#comment:37>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list