WordPress.org

Support

Support » Plugins and Hacks » WP-Polls » [Resolved] nonce check fails on vote when using ssl for wp-admin and logged in users

[Resolved] nonce check fails on vote when using ssl for wp-admin and logged in users

  • Have a wordpress setup with:

    define( ‘FORCE_SSL_LOGIN’, true);
    define( ‘FORCE_SSL_ADMIN’, true);

    set and a user who had a blog which requires users to login and had wp-poll setup. User noticed that attempts to vote were throwing ‘Failed To Verify Referrer’ unless the user explicitly went to a full SSL version of the blog.

    Did some spelunking and it looks like what’s happening is that the wordpress cookie identifying who is logged in is not being passed in the AJAX call because of Same-Origin enforcement of authentication credentials by the browser (since the page/origin is http but the ajax call back is https). The nonce when the poll is rendered is generated with the logged in user, so without the cookie identifying the user the subsequent nonce validation fails.

    Luckily, there’s a simple enough fix – adding the following “xhrFields: {withCredentials: true}” to the relevant jQuery.ajax post fixes the issue – wordpress already sends the relevant Access-Control-Allow-Credentials header so browsers just need to be given permission to pass authentication information like cookies in the ajax call. I made a local patch with the change above and things are running fine, but it’d be nice to get this upstream.

    Hope I described the issue well (it’s pretty edge case, I’d imagine); please let me know if you need further details!

    https://wordpress.org/plugins/wp-polls/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘[Resolved] nonce check fails on vote when using ssl for wp-admin and logged in users’ is closed to new replies.
Skip to toolbar