Using nonces in GET requests is a minor concern, since it leaks the nonce in proxy logs and browser history. Although WordPress's nonce system is designed to be robust against this, it is still probably best to avoid using nonces in GET requests whenever possible, especially for more sensitive transactions. So possibly we should consider flagging all uses of wp_nonce_url(), since that function adds an nonce to a URL as a GET parameter. Such code should be changed to supply the nonce via a POST request instead.
Using nonces in GET requests is a minor concern, since it leaks the nonce in proxy logs and browser history. Although WordPress's nonce system is designed to be robust against this, it is still probably best to avoid using nonces in GET requests whenever possible, especially for more sensitive transactions. So possibly we should consider flagging all uses of
wp_nonce_url()
, since that function adds an nonce to a URL as a GET parameter. Such code should be changed to supply the nonce via a POST request instead.