SteveJonesDev
commented
3 months ago We ran into some complex issues with cookies not always passing properly maybe due to caching in some environments. Also, previously these scans could run on a schedule in the background adding to the complexity of passing user cookies. I'm going to table this for now and we'll revisit it.
The validation flow used a custom-generated short-lived nonce to get the HTML content of draft or pending pages.
An actual WP nonce can be used instead here, which is what this PR swaps over to use.
The custom nonce was needed because the request didn't have any user context, but we can give it the user context so the wp nonce validates by forwarding the cookies in the request. Since this flow can only happen through a logged-in user that seems reasonable to me.
Closes: #580