Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revise the use of nonces in requests to store a URL Metric and block cross-origin requests #1637

Merged
merged 8 commits into from
Nov 13, 2024

Conversation

westonruter
Copy link
Member

This is the first PR to address #1496.

  1. Eliminate the use of the wp_rest nonce when making POST requests to store a URL Metric. Since the endpoint does not require authentication, the nonce adds no value.
  2. Add enforcement of the Origin request header so that it must match home_url() in order for the URL Metric storage POST request to be accepted. The WordPress REST API by default allows for cross-origin requests, but this makes no sense specifically for storing a URL Metric since the client must by definition be on the frontend of the site.
  3. Eliminate the use of wp_create_nonce() to compute the HMAC to validate that the provided query-vars slug actually corresponds to the provided url in the request (that is, the URL of the current page). There is no need to use wp_create_nonce() here, since there does not need to be an expiration and it does not need to be tied to the current logged-in user.

By eliminating the use of nonces, clients will not have issues when submitting a URL Metric for storage when a page cache is holding onto the rendered page for longer than a day.

@westonruter westonruter added [Type] Bug An existing feature is broken [Plugin] Optimization Detective Issues for the Optimization Detective plugin labels Nov 8, 2024
Copy link

github-actions bot commented Nov 8, 2024

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: westonruter <[email protected]>
Co-authored-by: felixarntz <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@westonruter westonruter changed the title Fix/od with page caching Revise the use of nonces in requests to store a URL Metric and block cross-origin requests Nov 8, 2024
@westonruter westonruter force-pushed the fix/od-with-page-caching branch from 5f64507 to 68c8fc5 Compare November 10, 2024 01:10
Copy link
Member

@felixarntz felixarntz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@westonruter This looks great! Just some minor feedback, which would be good to address, but no blockers.

Comment on lines 148 to 149
* @since 0.1.0
* @since n.e.x.t Renamed from od_get_url_metrics_storage_nonce().
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to consider this an entirely new function. I would argue it wasn't "just" renamed, the purpose was also changed as it now returns a different kind of value.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Done in 9d6e807

Comment on lines 168 to 169
* @since 0.1.0
* @since n.e.x.t Renamed from od_verify_url_metrics_storage_nonce().
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See above, I'd prefer we consider this a new function.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Done in 9d6e807

* @param string $origin Origin to check.
* @return bool Whether the origin is allowed.
*/
function od_is_allowed_http_origin( string $origin ): bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't we use is_allowed_http_origin() directly instead of this function?

If it's just about the port support, I'd say that's an edge case so then I think we should at least use the original function anytime there's no port, and the custom logic only if there is one.

I'd also say we could simplify it: If there is a port in the passed $origin, simply remove it for the comparison and call is_allowed_http_origin() with that. It's not really that important to validate that the port also matches IMO, especially because of how much of an edge case that is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, unit tests run the home being localhost:8889 so it's not an edge case from that perspective.

I've gone ahead and just stripped out the port number in 545f0c3.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, I think that simplifies the implementation, and validating the same port number is probably not super important (for localhost sites there's probably not too much of a security implication anyway).

@westonruter westonruter merged commit e99b5b2 into trunk Nov 13, 2024
17 checks passed
@westonruter westonruter deleted the fix/od-with-page-caching branch November 13, 2024 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[Plugin] Optimization Detective Issues for the Optimization Detective plugin [Type] Bug An existing feature is broken
Projects
Status: Done 😃
Development

Successfully merging this pull request may close these issues.

2 participants