Nonce is being cached and causing problems after expiration

[chrisblakley]

I'm often not getting results from the autocomplete search and I'm suspecting that it may be due to service worker caching. Might need to add a rule to force admin-ajax requests from the network.

[chrisblakley]

This could be a separate issue than SW. I've added admin-ajax to the network list, but I still get a Permission Denied response, so I'm thinking it might be a nonce issue... Maybe it's still associated with the service worker- could the nonce itself be cached and therefore the ajax request could be sending an old nonce to the server?

[chrisblakley]

Nonces are valid for 24 hours, so this is likely only affecting returning users who search on subsequent visits. Still a pretty high priority issue, and I want to verify that it does not affect CF7 as well (because it could).

Still not sure how to avoid it, though. The nonce is generated on pageload and localized to the frontend where it gets cached by the serviceworker. I can't think of a for the service worker to cache the page, but not that one bit of "text".

AJAXing to get a new nonce is not an acceptable solution here.

[chrisblakley]

Looks like CF7 could be problematic here. If a nonce fails on a contact form, it will trigger a spam invalidation: https://contactform7.com/faq/#I_get_an_error_message_with_an_orange_border_even_though_I_dont_use_Akismet

[chrisblakley]

Posted on Stack Exchange https://wordpress.stackexchange.com/questions/293087/localized-nonce-being-cached-by-service-worker-and-eventually-failing

I'm thinking I need to do one of the following:

1. Not use nonces for non-logged-in users (which seems weird to me)
2. Dump the cache of HTML files before 12 hours
   • Is it really not possible to check the age of individual files in the cache?
3. Implement a different caching technique for HTML files.

[chrisblakley]

CF7 only uses a nonce for logged-in users. Still a concern here, but it's less severe than what I thought.

[chrisblakley]

This may have been caused by a completely unrelated issue with the autocomplete search (undefined variable). Keep an eye on this and if it doesn't happen again I'll close this.

[chrisblakley]

It's not just the service worker that is caching the nonce. If the browser itself (or anything else) caches the page itself, the nonce will be cached too and fail.

Note: the service worker is still involved with this issue, though.

[chrisblakley]

I updated the bundled Nebula htaccess file so that HTML (and PHP) files only get cached for 10 hours, but since this problem happened when not using an htaccess file, I'd like to continue to look into it.

I'm curious what Google Page Speed thinks of this less than 7 day cache time for HTML pages now...

[chrisblakley]

This is also affects functionality like the autocomplete search.

Smashing Magazine recommends increasing the nonce lifespan to 3 months:

        add_filter('nonce_life', 'sw_nonce_life');
        function sw_nonce_life($nonce_life) {

            return 90*DAY_IN_SECONDS;
        }

[chrisblakley]

Just a quick note that I'm reducing the dependency on AJAX (and therefore nonces) by using the WP REST API when possible.