Open westonruter opened 3 weeks ago
Oh, I just saw https://github.com/pantheon-systems/pantheon-advanced-page-cache/pull/293 which essentially removed the nonce_life
filter I'm proposing here (although it is slightly different).
I can see that nonces are getting created with every page load at the wp_default_scripts
action, so that does complicate things. One workaround would be to ignore nonces created at the wp_default_scripts
action, but then these nonces could still end up getting used.
Really what is needed is to detect whether any of the created nonces appear anywhere in the HTML response, and if so, reduce the max-age accordingly. But that is difficult to do because the return value of wp_create_nonce()
is not filterable so we can't know what the created nonce will be. And for detecting whether the nonce is used in the page, then this would require an output buffer to wrap the entire page, which WordPress does not currently provide (although it can be done by the plugin). See Trac-43258.
The plugin currently currently advises:
However, is this manual call to
do_action( 'pantheon_cache_nonce_lifetime' )
necessary?Couldn't the plugin hook into whether the
nonce_life
filter is ever applied, which occurs whenwp_create_nonce()
is called? In other words, it would seem like this plugin should do something like the following instead of whatfilter_nonce_cache_lifetime()
is doing:This would ensure that themes and plugins which create nonces will automatically get their cache max-age reduced.
General question: How does the caching layer obtain the return value from the
get_current_max_age()
function? It doesn't seem to be getting sent back from any HTTP header. Or is it? Will a nonce created after headers are sent fail to reduce thepantheon_cache_default_max_age
as required?