pantheon-systems / pantheon-advanced-page-cache

Plugin to make the most of Pantheon's Global CDN with advanced page caching options.
https://wordpress.org/plugins/pantheon-advanced-page-cache/
GNU General Public License v2.0
35 stars 13 forks source link

Eliminate the need to manually `do_action('pantheon_cache_nonce_lifetime')` #305

Open westonruter opened 3 weeks ago

westonruter commented 3 weeks ago

The plugin currently currently advises:

Nonces created on the front-end, often used to secure forms and other data, have a lifetime, and if the cache max age is longer than the nonce lifetime, the nonce may expire before the cache does. To avoid this, you can use the pantheon_cache_nonce_lifetime action to set the pantheon_cache_default_max_age to less than the nonce lifetime. For example:

do_action( 'pantheon_cache_nonce_lifetime' );

It's important to wrap your do_action in the appropriate conditionals to ensure that the action is only called when necessary and not filtering the cache max age in cases when it's not necessary. This might mean only running on certain pages or in certain contexts in your code.

However, is this manual call to do_action( 'pantheon_cache_nonce_lifetime' ) necessary?

Couldn't the plugin hook into whether the nonce_life filter is ever applied, which occurs when wp_create_nonce() is called? In other words, it would seem like this plugin should do something like the following instead of what filter_nonce_cache_lifetime() is doing:

add_filter( 
    'nonce_life', 
    static function ( $nonce_life ) {
        if ( ! is_admin() ) {
            add_filter( 
                'pantheon_cache_default_max_age', 
                static function ( $max_age ) use ( $nonce_life ) {
                    return min( $max_age, $nonce_life - HOUR_IN_SECONDS );
                } 
            );
        }
        return $nonce_life;
    }, 
    PHP_INT_MAX 
);

This would ensure that themes and plugins which create nonces will automatically get their cache max-age reduced.

General question: How does the caching layer obtain the return value from the get_current_max_age() function? It doesn't seem to be getting sent back from any HTTP header. Or is it? Will a nonce created after headers are sent fail to reduce the pantheon_cache_default_max_age as required?

westonruter commented 3 weeks ago

Oh, I just saw https://github.com/pantheon-systems/pantheon-advanced-page-cache/pull/293 which essentially removed the nonce_life filter I'm proposing here (although it is slightly different).

I can see that nonces are getting created with every page load at the wp_default_scripts action, so that does complicate things. One workaround would be to ignore nonces created at the wp_default_scripts action, but then these nonces could still end up getting used.

Really what is needed is to detect whether any of the created nonces appear anywhere in the HTML response, and if so, reduce the max-age accordingly. But that is difficult to do because the return value of wp_create_nonce() is not filterable so we can't know what the created nonce will be. And for detecting whether the nonce is used in the page, then this would require an output buffer to wrap the entire page, which WordPress does not currently provide (although it can be done by the plugin). See Trac-43258.