Open aduth opened 5 years ago
What about multi-site (or, specifically, sub-directory sites where hostname may be the same across multiple sites in a network)
Consider /all-sites/site-1
vs /site-1
vs /sites/group-1/site-1
- how would the algorithm infer which one is the site root? I don't think it's possible to address this automatically and in a general way as the path simply does not contain enough information.
What could be done though is checking if the requested URL starts with site_url
. It wouldn't cover all possibilities (e.g. /site-1/site-2
, but should cover most use-cases. I proposed a fix in https://github.com/WordPress/gutenberg/pull/24623 that does just that.
Related: https://github.com/Automattic/wp-calypso/pull/30332#issuecomment-456758921
There's no reason
@wordpress/api-fetch
can't or shouldn't be used to fetch resources outside of WordPress, as out-of-the-box it serves as a minimal wrapper for the browserfetch
API.This still holds true even when configured to use the nonce middleware. If the requested resource can be determined to not be from a WordPress site, the nonce should not be attached.
Implementation-wise, there may be a challenge here in configuring that the nonce middleware should only apply to specific URLs, which could as well be impacted separately by the
createRootURLMiddleware
.Possible implementations:
/wp-json/
createNonceMiddleware
a callback which, given a URL or the full request options object, returnstrue
orfalse
corresponding to whether the nonce should be addedcreateNonceMiddleware
a hostname string for which the nonces are valid.