adamziel
commented
3 years ago What about multi-site (or, specifically, sub-directory sites where hostname may be the same across multiple sites in a network)
Consider /all-sites/site-1 vs /site-1 vs /sites/group-1/site-1 - how would the algorithm infer which one is the site root? I don't think it's possible to address this automatically and in a general way as the path simply does not contain enough information.
What could be done though is checking if the requested URL starts with site_url. It wouldn't cover all possibilities (e.g. /site-1/site-2, but should cover most use-cases. I proposed a fix in https://github.com/WordPress/gutenberg/pull/24623 that does just that.
Related: https://github.com/Automattic/wp-calypso/pull/30332#issuecomment-456758921
There's no reason
@wordpress/api-fetchcan't or shouldn't be used to fetch resources outside of WordPress, as out-of-the-box it serves as a minimal wrapper for the browserfetchAPI.This still holds true even when configured to use the nonce middleware. If the requested resource can be determined to not be from a WordPress site, the nonce should not be attached.
Implementation-wise, there may be a challenge here in configuring that the nonce middleware should only apply to specific URLs, which could as well be impacted separately by the
createRootURLMiddleware.Possible implementations:
/wp-json/createNonceMiddlewarea callback which, given a URL or the full request options object, returnstrueorfalsecorresponding to whether the nonce should be addedcreateNonceMiddlewarea hostname string for which the nonces are valid.