Comments on: Nonces and WordPress

By: Paul Mitchell aka Libertus

Paul Mitchell aka Libertus — Fri, 02 Jun 2006 21:27:52 +0000

I tend to check validity once or twince when invited to do so by such quality statements as "Valid XHTML". Truly caught my attention.

The page validated. I'm looking at the plugin.

By: Rudd-O

Rudd-O — Fri, 02 Jun 2006 19:04:34 +0000

It’s okay, David. You were right all along. Thanks for the swift heads-up — you made me realize my mistake early enough.

By: David House

David House — Fri, 02 Jun 2006 19:02:44 +0000

For the record, I’ll take back my first commen, now you’ve amended your post:

“Instead of implementing nonces” -> “Instead of implmenting nonces alone”

I’m in accord with the latter.

By: Rudd-O

Rudd-O — Fri, 02 Jun 2006 18:55:28 +0000

BTW, which IRC server is #wordpress in?

By: Rudd-O

Rudd-O — Fri, 02 Jun 2006 18:54:27 +0000

Hope you didn’t catch the page in an invalid state. Been editing and “Saving and continuing” just right now.

To everyone in this post: thanks for your contributions and comments.

By: Paul Mitchell aka Libertus

Paul Mitchell aka Libertus — Fri, 02 Jun 2006 18:52:39 +0000

Truly Valid. Very nice.

By: Rudd-O

Rudd-O — Fri, 02 Jun 2006 18:51:25 +0000

Thanks for your contribution, David.

But I'm still convinced that nonces should have been introduced with the corresponding move to POSTs. As you can see, rather than disagreeing, we agree on the basic issues.

By: Paul Mitchell aka Libertus

Paul Mitchell aka Libertus — Fri, 02 Jun 2006 18:49:52 +0000

ringmaster on #wordpress linked the channel to your site, which is how I found you.

The GET/POST stuff will be cleaned up over time, especially if people with the necessary programmming skills and technical knowledge have time and effort to donate to the project, which is heartily encouraged by the core developers.

Nonces solve a more fundamental problem than the rather odd battle between GET and POST for idempotent actions. Nonces create a stronger cause-and-effect link between the page delivered and the action generated, discouraging and perhaps even negating the possibility of some computer-based attacks on your blog via your WordPress login cookies, especially if HTTP referer checks have been disabled.

Pity about the choice of name. http://urbandictionary.com/nonce

By: David House

David House — Fri, 02 Jun 2006 18:44:38 +0000

Please don’t make throwaway dismissals of WordPress policy without first informing yourself. Had you actually read the wp-hackers discussion on this, you’d have come across emails like one I sent:

http://comox.textdrive.com/pipermail/wp-hackers/2006-April/005980.html

I’ll leave you with that thought.