Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eliminate the need to manually do_action('pantheon_cache_nonce_lifetime') #305

Open
westonruter opened this issue Nov 7, 2024 · 1 comment
Open

Eliminate the need to manually do_action('pantheon_cache_nonce_lifetime') #305

westonruter opened this issue Nov 7, 2024 · 1 comment

Comments

@westonruter
Copy link

westonruter commented Nov 7, 2024
edited
Loading

The plugin currently currently advises:

Nonces created on the front-end, often used to secure forms and other data, have a lifetime, and if the cache max age is longer than the nonce lifetime, the nonce may expire before the cache does. To avoid this, you can use the pantheon_cache_nonce_lifetime action to set the pantheon_cache_default_max_age to less than the nonce lifetime. For example:

do_action( 'pantheon_cache_nonce_lifetime' );

It's important to wrap your do_action in the appropriate conditionals to ensure that the action is only called when necessary and not filtering the cache max age in cases when it's not necessary. This might mean only running on certain pages or in certain contexts in your code.

However, is this manual call to do_action( 'pantheon_cache_nonce_lifetime' ) necessary?

Couldn't the plugin hook into whether the nonce_life filter is ever applied, which occurs when wp_create_nonce() is called? In other words, it would seem like this plugin should do something like the following instead of what filter_nonce_cache_lifetime() is doing:

add_filter( 
	'nonce_life', 
	static function ( $nonce_life ) {
		if ( ! is_admin() ) {
			add_filter( 
				'pantheon_cache_default_max_age', 
				static function ( $max_age ) use ( $nonce_life ) {
					return min( $max_age, $nonce_life - HOUR_IN_SECONDS );
				} 
			);
		}
		return $nonce_life;
	}, 
	PHP_INT_MAX 
);

This would ensure that themes and plugins which create nonces will automatically get their cache max-age reduced.

General question: How does the caching layer obtain the return value from the get_current_max_age() function? It doesn't seem to be getting sent back from any HTTP header. Or is it? Will a nonce created after headers are sent fail to reduce the pantheon_cache_default_max_age as required?
@westonruter
Copy link
Author

Oh, I just saw #293 which essentially removed the nonce_life filter I'm proposing here (although it is slightly different).

I can see that nonces are getting created with every page load at the wp_default_scripts action, so that does complicate things. One workaround would be to ignore nonces created at the wp_default_scripts action, but then these nonces could still end up getting used.

Really what is needed is to detect whether any of the created nonces appear anywhere in the HTML response, and if so, reduce the max-age accordingly. But that is difficult to do because the return value of wp_create_nonce() is not filterable so we can't know what the created nonce will be. And for detecting whether the nonce is used in the page, then this would require an output buffer to wrap the entire page, which WordPress does not currently provide (although it can be done by the plugin). See Trac-43258.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@westonruter