-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mixed http/https access to admin can cause infinite loop of nonce checks #36118
Comments
Thanks for reporting; I'm not able to reproduce this; when I hit step 2 of http://testsite.test ; I am automatically redirected to https://wp.test/wp-admin/ and am already logged in. (In chrome, I use vvv which has self-signed SSL certs) This may depend on your local environment; what are you using? |
Yes, this would be environment-dependent. The server would have to be configured to not automatically redirect http requests to https. Mine does not redirect http → https. I just tested again in a new environment with a fresh installation of WordPress (5.9.1) and am still able to replicate using the instructions I wrote above. |
I think this problem is slightly broader than just http/https redirect issues, but anytime that a JSON API endpoint returns a 403 error, the request is retried until it gets a successful response. In most cases, that's probably unlikely and so it get stuck in an infinite loop. I just encountered this because our instance forces WordPress into a read-only mode (we force read-only database credentials) for certain JSON API request paths that are publicly accessible as a precaution. In that mode, WordPress cannot perform cookie or nonce auth and returns a 403 when auth is even attempted (which the editor does automatically for JSON API requests). Specifically, after the WordPress 5.9 update the editor makes a call to the base JSON API route which in our case we force to be read-only and it triggers the endless issue. It seems that the API fetch utils aren't fully aware of error states and in at least some cases end up in an infinite hole of retries if an error is returned (at least in the case of 403 errors, I haven't worked to prove other cases). In most cases that error is probably final and the result won't change from one second to the next and the API code should handle that accordingly. |
Created a PR with possible fix #67812. |
Description
Gutenberg can find itself in an infinite loop of REST requests due to an invalid nonce if a user uses their site over https but at some point happens to load up the login screen over http. This happened to me in a local environment where I don't force https traffic but have a cert available. I inadvertently navigated to the http address, realized my mistake and re-navigated to the https address, and when I created a post in Gutenberg it was unusable.
Step-by-step reproduction instructions
https://wp.test/wp-admin/
.http://
variant of wp-admin, e.g.http://wp.test/wp-admin/
. You will get the login screen but don't sign in.https://wp.test/wp-admin/
https://wp.test/wp-admin/post-new.php
Screenshots, screen recording, code snippet
to-infinity-and-beyond.mp4
Environment info
Please confirm that you have searched existing issues in the repo.
Yes
Please confirm that you have tested with all plugins deactivated except Gutenberg.
Yes
The text was updated successfully, but these errors were encountered: